From 650f14cbb370610d3d4b715a9333c2841f531773 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Tue, 12 Nov 2024 12:24:43 +0100 Subject: [PATCH] Migrate master to 2.17.1 (#530) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Init wazuh-indexer (#3) * Update CODEOWNERS * Update README.md and SECURITY.md * Add Wazuh configuration files * Update README.md Signed-off-by: Álex Ruiz * Create codeql.yml Signed-off-by: Álex Ruiz * Update dependabot.yml Signed-off-by: Álex Ruiz * Update SECURITY.md (#30) Signed-off-by: Álex Ruiz * Add ECS mappings generator (#36) * Add ECS mappings generator, documentation and files for vulnerability detector * Add event generator script * Update template settings --------- Signed-off-by: Álex Ruiz * Add default query fields to vulnerability detector index (#40) * Add ECS mappings generator, documentation and files for vulnerability detector * Add event generator script * Add default query fields --------- Signed-off-by: Álex Ruiz * Create gradle_build.yml Signed-off-by: Álex Ruiz * Update gradle_build.yml Signed-off-by: Álex Ruiz * Add a script to configure the rollover policy (#49) * Update ISM init script (#50) * Fix bug with -i option (#51) * Fix bug with -i option * Improve error handling * Update min_doc_count value (#52) * Improve ISM init script (#57) * Improve ISM init script * Change log file path * Update distribution files (#59) * Update config files * Add VERSION file * Update documentation of the ECS tooling (#67) * Add workflow for package generation (#65) * Ignore artifacts folder * Update build script - Updated to v2.11.0 version. - Skipped compilation of the plugins - The artifact nameis sent to a text file, to access it easily in GitHub Actions. * Add GH action to build min packages * Remove commented code * Remove unused code * Add docker compose environment (#66) * Add very basic Docker environment That will do for now * Add latest changes * Update Docker environment - Remove build.md which was included by mistake. - Improve dev.sh script. - Update .gitignore to exclude artifacts folder. - Create .dockerignore file. - Replace get_version.sh script with inline command. - Reduce image size by using alpine as base image. --------- Signed-off-by: Álex Ruiz * Rename packages to wazuh-indexer (#69) * Rename packages to wazuh-indexer * Include VERSION file into packages * Apply Wazuh version to packages names * Improve build.sh script Apply suggestions from ShellCheck * Update vulnerability index mappings (#75) * Remove 'events' ECS field * Add 'wazuh' custom field * Update event_generator.py for vulnerability detector * Update `indexer-ism-init.sh` (#81) Updates the script to upload the wazuh-template.json to the indexer. Signed-off-by: Álex Ruiz * Add workflow to assemble packages (#85) * Add script to assemble arm64 and x64 archives (tar) * Cleanup * Update config file with latest upstream changes * Change packages maintainer information * Fix wrong substitution of config files * Update dockerignore to ignore git folder * Update wazuh-indexer.rpm.spec Remove unnecessary echo commands * Add wazuh-indexer-performance-analyzer.service Required to assembly RPM. The plugin does not install this file, so it needs to be added manually. * Update assemble.sh Successfully assemble RPM x64. Runner needed to arm64 * Update `build.yml` * Add WIP documentation for packages' generation * Test new approach using reusable workflows * Fix errors * Restructure reusable workflow * Fix upload and download paths * New try - Adds a reusable workflow to return the version of Wazuh set in source code. - Attempt to dynamically generate artifacts name to normalize them for usage between jobs. - Adds revision as input for the workflow. - Cleanup * Emulate assemble to test upload of the reusable assembly workflow * Add Caching Gradle dependencies * Remove extra '-' in the packages names on the assembly job * Final cleanup * Enable RPM package assemble Remove unused code * Fix regex to get package name * Fix download-artifact destination path * Exclude unimplemented deb assembly Extend example to run with Act * Fix yellow cluster state (#95) * Add template and settings to disable replicas on ISM plugin internal indices * Fix documentation Replaces exit 1 statements with return 1 * Fix uncommented comment line * Update ism-init script (#97) * Update ism-init script to parametrize the path of the wazuh-template --------- Signed-off-by: Álex Ruiz * Add tools to assemble DEB packages (#96) * Add tools to assemble DEB packages * Move wazuh-indexer-performance-analyzer.service to common * Enable assembly of DEB packages * Enable full set of plugins * Actually skip tar assembly * Add installation of dependencies for DEB assembly * Install dependencies using sudo * Format files * Refactor assemble script * Update README.md Signed-off-by: Álex Ruiz * Build scripts and GH workflows artifacts naming fix (#112) * Build scripts and GH workflows artifacts naming fix * Add git to dev docker image * Fixing jobs' inputs and outputs * remove name input from r_assemble.yml * Setting qualifier to 1 when not specified * Add revision flag to scripts and workflow * Fix copying of packages at assemble.sh * Use suffix variable instead of architecture * Fix suffix name in assemble.sh * Mix solutions to comply with the package naming convention * Remove unused code * Use correct name for assembled package Remove code no longer needed * Remove outdated comments --------- Co-authored-by: Álex Ruiz * Use short SHA as Git reference in packages naming (#100) * Switching to short SHA commit form in package names Signed-off-by: Fede Tux * Update r_commit_sha.yml Signed-off-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> * Update r_commit_sha.yml Signed-off-by: Álex Ruiz --------- Signed-off-by: Fede Tux Signed-off-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> Signed-off-by: Álex Ruiz Co-authored-by: Fede Tux Co-authored-by: Álex Ruiz * Remove unneeded files from assembled packages (#115) * add remove files function to assemble.sh * Remove unneeded files on assembled tar packages * Remove duplicated function Fix wrong variable assignment --------- Co-authored-by: Álex Ruiz * Add missing tools and files back into Wazuh Indexer packages (#117) * add remove files function to assemble.sh * Remove unneeded files on assembled tar packages * Remove duplicated function Fix wrong variable assignment * Adding function to package Wazuh`s tools to assemble.sh * Make the files' versions follow the repo's VERSION file * Fix download of Wazuh tools for packages assembly --------- Signed-off-by: Álex Ruiz Co-authored-by: Álex Ruiz * Remove unneeded symbolic links from assembled packages (#121) * Update issue templates (#127) * Fix RPM package references to /var/run (#119) * Switch /var/run references to /run * Remove unneeded files from assembled packages (#115) * add remove files function to assemble.sh * Remove unneeded files on assembled tar packages * Remove duplicated function Fix wrong variable assignment --------- Co-authored-by: Álex Ruiz * Add missing tools and files back into Wazuh Indexer packages (#117) * add remove files function to assemble.sh * Remove unneeded files on assembled tar packages * Remove duplicated function Fix wrong variable assignment * Adding function to package Wazuh`s tools to assemble.sh * Make the files' versions follow the repo's VERSION file * Fix download of Wazuh tools for packages assembly --------- Signed-off-by: Álex Ruiz Co-authored-by: Álex Ruiz * Remove unneeded symbolic links from assembled packages (#121) * Remove reference to install_demo_configuration.sh --------- Signed-off-by: Álex Ruiz Co-authored-by: Álex Ruiz * Removing post-install message from wazuh-indexer.rpm.spec (#131) * Add tests to the packages building process (#132) Runs the workflow on pull request changes * Get Wazuh version from VERSION file (#122) * Add function to look for VERSION in the correct path * Update assemble.sh Adds wget as dependency * Download files using curl instead of wget * Update assemble.sh Revert assembly with minimal plugins for testing Signed-off-by: Álex Ruiz * Add Dockerfile and docker-compose for the package assembly stage * Assemble packages with minimal plugin set when "test" variable is set to "true" * Update README with assemble.sh docker image * Fixing env variable naming convention and removing wget dependency * Improve Docker environments Adds environments to build packages * Fix small typos * More fixes * Add documentation * Adding -p flag to mkdir so it doesnt fail when the folder is already present * Format files --------- Signed-off-by: Álex Ruiz Co-authored-by: Álex Ruiz * Removing /usr/share/lintian/overrides/wazuh-indexer from deb packages (#130) Co-authored-by: Álex Ruiz * Add `wazuh-template.json` to packages (#116) * Download wazuh-template.json from wazuh/wazuh repo * Add wazuh-template.json to RPM package spec * Setting wazuh-template.json attributes to 660 * Change wazuh-template.json attributes in debmake_install.sh * Put template download command within a function * Small fixes and format * Apply correct file permissions to the wazuh-template.json --------- Co-authored-by: Álex Ruiz * Adding Debian packaging config files from Opensearch (#118) * Adding debian packaging config files from Opensearch * Copy debian/ folder to the build dir for debmake to parse * Remove redundant steps from debian/postinst --------- Co-authored-by: Álex Ruiz * Fix Build workflow to run on push events (#134) * Run workflow on push * Set build workflow inputs to required * Normalize the use of quotes for the build workflow inputs * Add ternary operator * Add missing ternary operator * Use maven for plugin download (#139) * Fine tuning permissions on RPM spec file * Get plugins using maven * Rolling back changes to spec file * Format files --------- Co-authored-by: Álex Ruiz * Add new custom field to the vulnerability detector index (#141) * Add new custom field to the vulnerability detector index * Update event generator tool * Remove base.labels ECS field from wazuh-states-vulnerabilities index mappings * Fine tuning permissions on assembled packages (#137) * Fine tuning permissions on RPM spec file * Build a list of files to be packaged excluding items that need special permissions * Fix bad permissions on directories * Remove system directories from packaging definition * Changing permissions on deb packages * Skip unneeded dh_fixperms stage in debian/rules * Clean & format --------- Co-authored-by: Álex Ruiz * Init. Amazon Security Lake integration (#143) * Init. Amazon Security Lake integration Signed-off-by: Álex Ruiz * Add events generator tool for `wazuh-alerts` (#152) * Add events generator tool for wazuh-alerts * Fix typo in README.md Signed-off-by: Álex Ruiz * Make timestamps timezone aware --------- Signed-off-by: Álex Ruiz Co-authored-by: Fede Tux * Add `wazuh.manager.name` to VD mappings (#158) * Create compatibility_request.md (#163) Signed-off-by: Álex Ruiz * Add Python module to accomplish OCSF compliant events (#159) * Adding Python script that receives a continuous json stream over stdin and outputs parquet to Security Lake * Adding logstash pipeline for python script * encode_parquet() function fixed to handle lists of dictionaries * Correct error in encode_parquet() * Avoid storing the block ending in the output buffer * Add comments on handling files and streams with pyarrow for future reference * Add s3 handling reference links * Write parquet directly to bucket * Added basics of map_to_ocsf() function * Minor fixes * Map alerts to OCSF as they are read * Add script to convert Wazuh events to OCSF Also adds a simple test script * Add OCSF converter + Parquet encoder + test scripts * Update .gitignore * Include the contents of the alert under unmapped * Add support for different OCSF schema versions * Use custom ocsf module to map alerts * Modify script to use converter class * Code polish and fix errors * Remove unnecessary type declaration from debug flag * Improved parquet encoding * Initial commit for test env's docker-compose.yml * Remove sudo references from docker-compose.yml * Add operational Python module to transform events to OCSF * Create minimal Docker environment to test and develop the integration. * Fix events-generator's Inventory starvation * Remove files present in #147 * Cleanup * Add FQDN hostnames to services for certificates creation * Add S3 Ninja (Mock) (#165) * Setup certificates in Wazuh Indexer and Logstash containers (#166) * Add certificate generator service * Add certificate config to docker compose file * Use secrets for certificates * Disable permission handling inside cert's generator entrypoint.sh * Back to using a bind mount for certs * Have entrypoint.sh generate certs with 1000:1000 ownership * Correct certificate permissions and bind mounting * Add security initialization variable to compose file * Fix permissions on certs generator entrypoint * Add cert generator config file * Remove old cert generator dir * Set indexer hostname right in pipeline file * Roll back commented code --------- Signed-off-by: Álex Ruiz Co-authored-by: Álex Ruiz * Fix Logstash pipelines * Remove unused file * Implement OCSF severity normalize function --------- Signed-off-by: Álex Ruiz Co-authored-by: Fede Tux Co-authored-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> * Update Gradle setup action (#182) * Attemtp to automate package's testing * Fix typo * Update setup gradle action * Remove file from another PR * Update build.yml Signed-off-by: Álex Ruiz --------- Signed-off-by: Álex Ruiz * Update vulnerability-states fields (#177) * Update vulnerability-states fields Adds wazuh.schema.version * Update events generator * Automate package's testing (#178) * Attemtp to automate package's testing * Fix typo * Add sudo * Split test steps and manage errors * Add --no-pager to journalctl * Add certs generator * Improve error handling * Update r_test.yml Fix indentation Signed-off-by: Álex Ruiz * Fix error handling * Add testing of RPM packages * Improve multi-os testing * Add TEST env var * Add braces to if conditionals * Remove all curly braches from if conditionals * braces again * Install RPM package in Docker * Remove sudo for RPM installation * Bind artifacts/dist to RPM docker test container * Bind artifacts/dist to RPM docker test container * Avoid prompt during yum install * Fix bind volume --------- Signed-off-by: Álex Ruiz * Remove ecs.version from query.default_fields (#184) * Upload packages to S3 (#179) * Attemtp to automate package's testing * Add workflow file to upload packages to S3 * Skip testing to test whether the upload works * Fix package names * Fix upload workflow name * Pass secrets to the reusable workflow * Fix indentation * Fix indentation * Remove test workflow from this PR * Add boolean input to control when the package is uploaded to the S3 bucket * [UI/UX] Improve inputs description --------- Signed-off-by: Álex Ruiz * Add bash to Docker dev image (#185) * Update wazuh-states-vulnerabilities index mapping (#191) * Update wazuh-states-vulnerabilities index mapping * Extend ECS Vulnerability fields * Add pipeline to generate release packages (#193) * Add script to get the version of OpenSearch * Set revision to 0 by default. - Reduce inputs for scripts. - Add script to generate packages' naming convention. - Make scripts self-aware of the OpenSearch version. * Fix assemble * Smoke test new pipeline to build packages * Fix syntax errors * Update build.yml Signed-off-by: Álex Ruiz * Add workflow to build packages on push * Run actionlint * Fix jq argjson * Fix set matrix output ? * Try new approach using a single workflow * Fix GITHUB_OUTPUT * Fix baptizer invocation * Add testing and upload to new approach * Fix hard coded revision number on RPM assembly * New attempt * Skip upload unless specified * Install plugins on RPM * Promote new approach Removes previous workflows to generate packages * Fix workflow name * Attempt to fix release package naming * Fix build.sh invocation from workflow * Use min package name in workflow * Use min package name for release naming convention in workflow * Attemtp to fix regex * Upgrade to aws-actions/configure-aws-credentials@v4 Clean up * Apply latest requirements Add workflow with single matrix for QA use. Rename inputs. Add checksum input. * Add checksum generation and upload * Use choice as input types for system and architecture * Invoke build single packages with upload option * Add documentation and clean up * Rename scripts folder to packaging_scripts --------- Signed-off-by: Álex Ruiz * Build Docker images (#194) * Assemble tar packages * Add files to generate Docker images First working version * Fix certs path * clean up * Working indexer in Docker * Add documentation to build Docker images Simplify names of Docker build args * Remove unused Docker dependencies --------- Signed-off-by: Álex Ruiz * Add on.workflow_call to build_single.yml workflow (#200) Allows invocation usin the GH API * Add Pyhton module to implement Amazon Security Lake integration (#186) * Migrate from #147 * Update amazon-security-lake integration - Improved documentation. - Python code has been moved to `wazuh-indexer/integrations/amazon-security-lake/src`. - Development environment now uses OpenSearch 2.12.0. - The `wazuh.integration.security.lake` container now displays logs, by watching logstash's log file. - [**NEEDS FIX**] As a temporary solution, the `INDEXER_USERNAME` and `INDEXER_PASSWORD` values have been added as an environment variable to the `wazuh.integration.security.lake` container. These values should be set at Dockerfile level, but isn't working, probably due to permission denied on invocation of the `setup.sh` script. - [**NEEDS FIX**] As a temporary solution, the output file of the `indexer-to-file` pipeline as been moved to `/var/log/logstash/indexer-to-file`. Previous path `/usr/share/logstash/pipeline/indexer-to-file.json` results in permission denied. - [**NEEDS FIX**] As a temporary solution, the input.opensearch.query has been replaced with `match_all`, as the previous one does not return any data, probably to the use of time filters `gt: now-1m`. - Standard output enable for `/usr/share/logstash/pipeline/indexer-to-file.json`. - [**NEEDS FIX**] ECS compatibility disabled: `echo "pipeline.ecs_compatibility: disabled" >> /etc/logstash/logstash.yml` -- to be included automatically - Python3 environment path added to the `indexer-to-integrator` pipeline. * Disable ECS compatibility (auto) - Adds pipeline.ecs_compatibility: disabled at Dockerfile level. - Removes `INDEXER_USERNAME` and `INDEXER_PASSWORD` as environment variables on the `wazuh.integration.security.lake` container. * Add @timestamp field to sample alerts * Fix Logstash pipelines * Add working indexer-to-s3 pipeline * Add working Python script up to S3 upload * Add latest changes * Remove duplicated line * Replace choice with string on workflow_call (#207) * Use AWS_REGION secret (#209) * Add Lambda function for the Amazon Security Lake integration (#189) * Migrate from #147 * Update amazon-security-lake integration - Improved documentation. - Python code has been moved to `wazuh-indexer/integrations/amazon-security-lake/src`. - Development environment now uses OpenSearch 2.12.0. - The `wazuh.integration.security.lake` container now displays logs, by watching logstash's log file. - [**NEEDS FIX**] As a temporary solution, the `INDEXER_USERNAME` and `INDEXER_PASSWORD` values have been added as an environment variable to the `wazuh.integration.security.lake` container. These values should be set at Dockerfile level, but isn't working, probably due to permission denied on invocation of the `setup.sh` script. - [**NEEDS FIX**] As a temporary solution, the output file of the `indexer-to-file` pipeline as been moved to `/var/log/logstash/indexer-to-file`. Previous path `/usr/share/logstash/pipeline/indexer-to-file.json` results in permission denied. - [**NEEDS FIX**] As a temporary solution, the input.opensearch.query has been replaced with `match_all`, as the previous one does not return any data, probably to the use of time filters `gt: now-1m`. - Standard output enable for `/usr/share/logstash/pipeline/indexer-to-file.json`. - [**NEEDS FIX**] ECS compatibility disabled: `echo "pipeline.ecs_compatibility: disabled" >> /etc/logstash/logstash.yml` -- to be included automatically - Python3 environment path added to the `indexer-to-integrator` pipeline. * Disable ECS compatibility (auto) - Adds pipeline.ecs_compatibility: disabled at Dockerfile level. - Removes `INDEXER_USERNAME` and `INDEXER_PASSWORD` as environment variables on the `wazuh.integration.security.lake` container. * Add @timestamp field to sample alerts * Fix Logstash pipelines * Add working indexer-to-s3 pipeline * Add working Python script up to S3 upload * Add latest changes * Remove duplicated line * Add working environment with minimal AWS lambda function * Mount src folder to Lambda's workdir * Add first functional lambda function Tested on local environment, using S3 Ninja and a Lambda container * Working state * Add documentation * Improve code * Improve code * Clean up * Add instructions to build a deployment package * Make zip file lighter * Use default name for aws_region * Add destination bucket validation * Add env var validation and full destination S3 path * Add AWS_ENDPOINT environment variable * Rename AWS_DEFAULT_REGION * Remove unused env vars * Remove unused file and improve documentation a bit. * Makefile improvements * Use dummy env variables --------- Signed-off-by: Álex Ruiz * Bump Java version in Docker environments (#210) * Fix access denied error during log rotation (#212) * Save intermediate OCSF files to an S3 bucket (#218) * Fix Parquet files format (#217) * Fix mapping to Detection Finding OCSF class (#220) * Map events to OCSF's Security Finding class (#221) * Map events to OCSF's Security Finding class * Improve models (inheritance). Add OCSF_CLASS env variable * Move constants to the models * Fix validation error * Add ID input to workflows (#229) * Added id input * Changed name to run-name * Add OPENSEARCH_TMPDIR variable to service and create directory in packages accordingly (#231) * Improve workflow's run-name with tagret system and architeture (#237) * Add documentation for the Amazon Security Lake integration (#226) * Add documentation for the Amazon Security Lake integration * Add images via upload Signed-off-by: Álex Ruiz * Add files via upload Signed-off-by: Álex Ruiz * Use jpeg * Add files via upload Signed-off-by: Álex Ruiz * Fix some typos * Add CONTRIBUTING.md * Apply improvements to the ASL docu --------- Signed-off-by: Álex Ruiz * Rename environment variable (#240) * Remove maintainer-approval.yml (#241) * Improve logging and error handling on ASL Lambda function (#242) * Update .gitattributes (#243) * Change . for : in debian's postinst (#245) * Add integration with Elastic (#248) * Add integration with Elastic Draft * Update Elastic integration Draft * Add Elastic integration folder Draft * Changing the kibana system user * Add Elastic integration Working --------- Co-authored-by: Fede Tux * Added S3 URI output to package generation upload (#249) * Added S3 URI output * Added ID input and S3 URI output * Improved workflow run name * Added name statement * Added name statement * Removed file * Added ID input description * Update build.yml --------- Co-authored-by: Álex Ruiz * Add OpenSearch integration (#258) * Add docker environment * Add README Move files to the corresponding folde * Enable TLS in dashboards --------- Co-authored-by: Álex Ruiz * Add Splunk integration (#257) * Add Splunk integration Draft * Fix certificate errors * Add cfssl container to generate and sign splunk certs * Add cfssl configuration fiels * Update Splunk integration --------- Signed-off-by: Álex Ruiz Co-authored-by: Fede Tux * Add Manager to Elastic integration (#266) * Init commit [DRAFT] Adds a Compose environment * Mount alerts as shared volume instead of file * Update documentation and clean up files --------- Co-authored-by: Fede Tux * Add Manager to Splunk integration (#268) * Add Manager to OpenSearch integration (#267) * Add Manager to OpenSearch integreation Also fixes small issues on other integrations * Add changes to README * Attempt nr.2 to fix #277 (#280) * Testy test test * Update artifact name Skip lintian * Update Mantainers for Debian package metadata * Remove references to indexer-ism-init.sh and wazuh-template.json (#281) * Remove references to indexer-ism-init.sh and wazuh-template.json * Roll back remaining content from ISM rollover+alias feature * Remove commented code --------- Co-authored-by: Álex Ruiz * Bump 4.10.0 (#272) * Merge 4.9.1 into 4.10.0 (#358) * Merge 4.9.1 into 4.10.0 (#358) --------- Signed-off-by: Álex Ruiz * Create branch 5.0.0 (#154) * Create branch 5.0.0 * Fix CHANGELOG.md * Update `build` workflow to build indexer plugins (#360) * Update build workflow to include Wazuh plugins * Try new approach to build wazuh-indexer with plugins * Remove old code * Remove ADMINS.md artifacts benchmarks build build.gradle buildSrc CHANGELOG.md client codecov.yml CODE_OF_CONDUCT.md CONTRIBUTING.md DEVELOPER_GUIDE.md dev-tools distribution docker docs doc-tools ecs gradle gradle.properties gradlew gradlew.bat integrations libs licenses LICENSE.txt MAINTAINERS.md modules NOTICE.txt packaging_scripts plugins protobuf-java-NOTICE.txt qa README.md release-notes RELEASING.md rest-api-spec sandbox SECURITY.md server settings.gradle test TESTING.md Vagrantfile VERSION whitesource.config step * Sync mavel local path across jobs * Fix versioning of wazuh-indexer-plugins * Fix versioning of wazuh-indexer-plugins * Pass version and revision to publishToMavenLocal * Add version check test * Format files * Use upload-artifact and download-artifact to share the plugins' zips between jobs * Add repo path * Fix plugin name * Roll back * Remove exit 1 * Fix relative path to the plugins * List plugins folder * Fix relative path * again * Change relative path to absolute * Clean code * Update README.ms * Apply naming convention * Add breif steps to build wazuh-indexer with plugins * Skip job to build plugins on no input * Improve conditional * Remove build-plugins job from build's job dependencies * Roll back * Add tooling to generate the agents index template (#370) * Merge 4.10.0 into master (#379) * Merge 4.9.2 into 4.10.0 (#378) * Update changelog * Remove `alerts.json` references and manager integrations (#385) * Remove references to alerts.json and filebeat off events generator * Remove compose files and logstash pipelines * Remove ossec references from sample events * Remove old compose files for integrations --------- Co-authored-by: Álex Ruiz * Fix build.gradle (#381) (#384) * Fix build.gradle * Fix build.gradle * Undo changes * Add issue template for Indexer-Dashboard packages testing (#393) * Add stateless index template definition (#395) * Add stateless index template definition Event generator is pending * Update to 8.11.0 * Update ECS generator * Remove event generator for stateless ECS module * Remove commented code * Fix typo * Add states-inventory-packages index template definition (#399) * Add stateless index template definition Event generator is pending * Update to 8.11.0 * Adding template mappings and settings for states-inventory-packages index * Fix indentation issue in subset.yml * Remove event generators * Remove duplicated code con ECS generator * Add custom fields for states-inventory-packages * Remove hidden flag on index template --------- Co-authored-by: Álex Ruiz * Add states-inventory-processes index template definition (#401) * Add stateless index template definition Event generator is pending * Update to 8.11.0 * Adding template mappings and settings for states-inventory-processes index * Fix indentation issue in subset.yml * Add process.tty as a custom field * Update states-inventory-processes index template definition * Remove events generators * Remove duplicated code * Remove hidden flag on index template --------- Co-authored-by: Álex Ruiz * Add states-inventory-system index template definition (#403) * Add stateless index template definition Event generator is pending * Update to 8.11.0 * Adding template mappings and settings for states-inventory-system index * Remove hidden flag, correct subset.yml indentation * Fix stuff --------- Co-authored-by: Álex Ruiz * Add states-vulnerabilities index template definition (#405) * Add stateless index template definition Event generator is pending * Update to 8.11.0 * Adding template mappings and settings for states-inventory-vulnerabilities index * Remove event generator script * Remove hidden flag * Fix subset.yml indentation * Recycle ecs/vulnerability-detector * Add yaml header --------- Co-authored-by: Álex Ruiz * Add states-fim index template definition (#397) * Add stateless index template definition Event generator is pending * Update to 8.11.0 * Adding ecs mapping files for FIM index * Fix indentation issue in subset.yml * Remove hidden flag and event_generator * Rename states-inventory-fim folder * Fix subset.yml names --------- Co-authored-by: Álex Ruiz * Include Command Manager plugin to the build workflow (#408) * Include Command Manager plugin to the build workflow * Remove 'github.event.' * Remove double slash * Update artifact path * Add commands index template definition (#413) * Add commands index template definition * Change oreder_id data type * Build & Assemble reporting plugin (#431) * Build & Assemble reporting plugin * Add working-directto ls * Swap reporting plugin in wazuh-indexer package (specs) * Fix changelog chronological order * Normalize artifact names * Use env.plugin_name * Add events generator for the Commands Manager plugin (#433) The event generator can gencreate and push sample events to the Command Manager API or to the Indexer API * Update commands index defition (#437) Change ID types to keywords * Update commands index data model (#453) * Update commands index data model * Update commands event generator * Move agent fields as extended * Merge 4.10.2 into master (#475) * Init wazuh-indexer (#3) * Update CODEOWNERS * Update README.md and SECURITY.md * Add Wazuh configuration files * Update README.md Signed-off-by: Álex Ruiz * Create codeql.yml Signed-off-by: Álex Ruiz * Update dependabot.yml Signed-off-by: Álex Ruiz * Update SECURITY.md (#30) Signed-off-by: Álex Ruiz * Add ECS mappings generator (#36) * Add ECS mappings generator, documentation and files for vulnerability detector * Add event generator script * Update template settings --------- Signed-off-by: Álex Ruiz * Add default query fields to vulnerability detector index (#40) * Add ECS mappings generator, documentation and files for vulnerability detector * Add event generator script * Add default query fields --------- Signed-off-by: Álex Ruiz * Create gradle_build.yml Signed-off-by: Álex Ruiz * Update gradle_build.yml Signed-off-by: Álex Ruiz * Add a script to configure the rollover policy (#49) * Update ISM init script (#50) * Fix bug with -i option (#51) * Fix bug with -i option * Improve error handling * Update min_doc_count value (#52) * Improve ISM init script (#57) * Improve ISM init script * Change log file path * Update distribution files (#59) * Update config files * Add VERSION file * Update documentation of the ECS tooling (#67) * Add workflow for package generation (#65) * Ignore artifacts folder * Update build script - Updated to v2.11.0 version. - Skipped compilation of the plugins - The artifact nameis sent to a text file, to access it easily in GitHub Actions. * Add GH action to build min packages * Remove commented code * Remove unused code * Add docker compose environment (#66) * Add very basic Docker environment That will do for now * Add latest changes * Update Docker environment - Remove build.md which was included by mistake. - Improve dev.sh script. - Update .gitignore to exclude artifacts folder. - Create .dockerignore file. - Replace get_version.sh script with inline command. - Reduce image size by using alpine as base image. --------- Signed-off-by: Álex Ruiz * Rename packages to wazuh-indexer (#69) * Rename packages to wazuh-indexer * Include VERSION file into packages * Apply Wazuh version to packages names * Improve build.sh script Apply suggestions from ShellCheck * Update vulnerability index mappings (#75) * Remove 'events' ECS field * Add 'wazuh' custom field * Update event_generator.py for vulnerability detector * Update `indexer-ism-init.sh` (#81) Updates the script to upload the wazuh-template.json to the indexer. Signed-off-by: Álex Ruiz * Add workflow to assemble packages (#85) * Add script to assemble arm64 and x64 archives (tar) * Cleanup * Update config file with latest upstream changes * Change packages maintainer information * Fix wrong substitution of config files * Update dockerignore to ignore git folder * Update wazuh-indexer.rpm.spec Remove unnecessary echo commands * Add wazuh-indexer-performance-analyzer.service Required to assembly RPM. The plugin does not install this file, so it needs to be added manually. * Update assemble.sh Successfully assemble RPM x64. Runner needed to arm64 * Update `build.yml` * Add WIP documentation for packages' generation * Test new approach using reusable workflows * Fix errors * Restructure reusable workflow * Fix upload and download paths * New try - Adds a reusable workflow to return the version of Wazuh set in source code. - Attempt to dynamically generate artifacts name to normalize them for usage between jobs. - Adds revision as input for the workflow. - Cleanup * Emulate assemble to test upload of the reusable assembly workflow * Add Caching Gradle dependencies * Remove extra '-' in the packages names on the assembly job * Final cleanup * Enable RPM package assemble Remove unused code * Fix regex to get package name * Fix download-artifact destination path * Exclude unimplemented deb assembly Extend example to run with Act * Fix yellow cluster state (#95) * Add template and settings to disable replicas on ISM plugin internal indices * Fix documentation Replaces exit 1 statements with return 1 * Fix uncommented comment line * Update ism-init script (#97) * Update ism-init script to parametrize the path of the wazuh-template --------- Signed-off-by: Álex Ruiz * Add tools to assemble DEB packages (#96) * Add tools to assemble DEB packages * Move wazuh-indexer-performance-analyzer.service to common * Enable assembly of DEB packages * Enable full set of plugins * Actually skip tar assembly * Add installation of dependencies for DEB assembly * Install dependencies using sudo * Format files * Refactor assemble script * Update README.md Signed-off-by: Álex Ruiz * Build scripts and GH workflows artifacts naming fix (#112) * Build scripts and GH workflows artifacts naming fix * Add git to dev docker image * Fixing jobs' inputs and outputs * remove name input from r_assemble.yml * Setting qualifier to 1 when not specified * Add revision flag to scripts and workflow * Fix copying of packages at assemble.sh * Use suffix variable instead of architecture * Fix suffix name in assemble.sh * Mix solutions to comply with the package naming convention * Remove unused code * Use correct name for assembled package Remove code no longer needed * Remove outdated comments --------- Co-authored-by: Álex Ruiz * Use short SHA as Git reference in packages naming (#100) * Switching to short SHA commit form in package names Signed-off-by: Fede Tux * Update r_commit_sha.yml Signed-off-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> * Update r_commit_sha.yml Signed-off-by: Álex Ruiz --------- Signed-off-by: Fede Tux Signed-off-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> Signed-off-by: Álex Ruiz Co-authored-by: Fede Tux Co-authored-by: Álex Ruiz * Remove unneeded files from assembled packages (#115) * add remove files function to assemble.sh * Remove unneeded files on assembled tar packages * Remove duplicated function Fix wrong variable assignment --------- Co-authored-by: Álex Ruiz * Add missing tools and files back into Wazuh Indexer packages (#117) * add remove files function to assemble.sh * Remove unneeded files on assembled tar packages * Remove duplicated function Fix wrong variable assignment * Adding function to package Wazuh`s tools to assemble.sh * Make the files' versions follow the repo's VERSION file * Fix download of Wazuh tools for packages assembly --------- Signed-off-by: Álex Ruiz Co-authored-by: Álex Ruiz * Remove unneeded symbolic links from assembled packages (#121) * Update issue templates (#127) * Fix RPM package references to /var/run (#119) * Switch /var/run references to /run * Remove unneeded files from assembled packages (#115) * add remove files function to assemble.sh * Remove unneeded files on assembled tar packages * Remove duplicated function Fix wrong variable assignment --------- Co-authored-by: Álex Ruiz * Add missing tools and files back into Wazuh Indexer packages (#117) * add remove files function to assemble.sh * Remove unneeded files on assembled tar packages * Remove duplicated function Fix wrong variable assignment * Adding function to package Wazuh`s tools to assemble.sh * Make the files' versions follow the repo's VERSION file * Fix download of Wazuh tools for packages assembly --------- Signed-off-by: Álex Ruiz Co-authored-by: Álex Ruiz * Remove unneeded symbolic links from assembled packages (#121) * Remove reference to install_demo_configuration.sh --------- Signed-off-by: Álex Ruiz Co-authored-by: Álex Ruiz * Removing post-install message from wazuh-indexer.rpm.spec (#131) * Add tests to the packages building process (#132) Runs the workflow on pull request changes * Get Wazuh version from VERSION file (#122) * Add function to look for VERSION in the correct path * Update assemble.sh Adds wget as dependency * Download files using curl instead of wget * Update assemble.sh Revert assembly with minimal plugins for testing Signed-off-by: Álex Ruiz * Add Dockerfile and docker-compose for the package assembly stage * Assemble packages with minimal plugin set when "test" variable is set to "true" * Update README with assemble.sh docker image * Fixing env variable naming convention and removing wget dependency * Improve Docker environments Adds environments to build packages * Fix small typos * More fixes * Add documentation * Adding -p flag to mkdir so it doesnt fail when the folder is already present * Format files --------- Signed-off-by: Álex Ruiz Co-authored-by: Álex Ruiz * Removing /usr/share/lintian/overrides/wazuh-indexer from deb packages (#130) Co-authored-by: Álex Ruiz * Add `wazuh-template.json` to packages (#116) * Download wazuh-template.json from wazuh/wazuh repo * Add wazuh-template.json to RPM package spec * Setting wazuh-template.json attributes to 660 * Change wazuh-template.json attributes in debmake_install.sh * Put template download command within a function * Small fixes and format * Apply correct file permissions to the wazuh-template.json --------- Co-authored-by: Álex Ruiz * Adding Debian packaging config files from Opensearch (#118) * Adding debian packaging config files from Opensearch * Copy debian/ folder to the build dir for debmake to parse * Remove redundant steps from debian/postinst --------- Co-authored-by: Álex Ruiz * Fix Build workflow to run on push events (#134) * Run workflow on push * Set build workflow inputs to required * Normalize the use of quotes for the build workflow inputs * Add ternary operator * Add missing ternary operator * Use maven for plugin download (#139) * Fine tuning permissions on RPM spec file * Get plugins using maven * Rolling back changes to spec file * Format files --------- Co-authored-by: Álex Ruiz * Add new custom field to the vulnerability detector index (#141) * Add new custom field to the vulnerability detector index * Update event generator tool * Remove base.labels ECS field from wazuh-states-vulnerabilities index mappings * Fine tuning permissions on assembled packages (#137) * Fine tuning permissions on RPM spec file * Build a list of files to be packaged excluding items that need special permissions * Fix bad permissions on directories * Remove system directories from packaging definition * Changing permissions on deb packages * Skip unneeded dh_fixperms stage in debian/rules * Clean & format --------- Co-authored-by: Álex Ruiz * Init. Amazon Security Lake integration (#143) * Init. Amazon Security Lake integration Signed-off-by: Álex Ruiz * Add events generator tool for `wazuh-alerts` (#152) * Add events generator tool for wazuh-alerts * Fix typo in README.md Signed-off-by: Álex Ruiz * Make timestamps timezone aware --------- Signed-off-by: Álex Ruiz Co-authored-by: Fede Tux * Add `wazuh.manager.name` to VD mappings (#158) * Create compatibility_request.md (#163) Signed-off-by: Álex Ruiz * Add Python module to accomplish OCSF compliant events (#159) * Adding Python script that receives a continuous json stream over stdin and outputs parquet to Security Lake * Adding logstash pipeline for python script * encode_parquet() function fixed to handle lists of dictionaries * Correct error in encode_parquet() * Avoid storing the block ending in the output buffer * Add comments on handling files and streams with pyarrow for future reference * Add s3 handling reference links * Write parquet directly to bucket * Added basics of map_to_ocsf() function * Minor fixes * Map alerts to OCSF as they are read * Add script to convert Wazuh events to OCSF Also adds a simple test script * Add OCSF converter + Parquet encoder + test scripts * Update .gitignore * Include the contents of the alert under unmapped * Add support for different OCSF schema versions * Use custom ocsf module to map alerts * Modify script to use converter class * Code polish and fix errors * Remove unnecessary type declaration from debug flag * Improved parquet encoding * Initial commit for test env's docker-compose.yml * Remove sudo references from docker-compose.yml * Add operational Python module to transform events to OCSF * Create minimal Docker environment to test and develop the integration. * Fix events-generator's Inventory starvation * Remove files present in #147 * Cleanup * Add FQDN hostnames to services for certificates creation * Add S3 Ninja (Mock) (#165) * Setup certificates in Wazuh Indexer and Logstash containers (#166) * Add certificate generator service * Add certificate config to docker compose file * Use secrets for certificates * Disable permission handling inside cert's generator entrypoint.sh * Back to using a bind mount for certs * Have entrypoint.sh generate certs with 1000:1000 ownership * Correct certificate permissions and bind mounting * Add security initialization variable to compose file * Fix permissions on certs generator entrypoint * Add cert generator config file * Remove old cert generator dir * Set indexer hostname right in pipeline file * Roll back commented code --------- Signed-off-by: Álex Ruiz Co-authored-by: Álex Ruiz * Fix Logstash pipelines * Remove unused file * Implement OCSF severity normalize function --------- Signed-off-by: Álex Ruiz Co-authored-by: Fede Tux Co-authored-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> * Update Gradle setup action (#182) * Attemtp to automate package's testing * Fix typo * Update setup gradle action * Remove file from another PR * Update build.yml Signed-off-by: Álex Ruiz --------- Signed-off-by: Álex Ruiz * Update vulnerability-states fields (#177) * Update vulnerability-states fields Adds wazuh.schema.version * Update events generator * Automate package's testing (#178) * Attemtp to automate package's testing * Fix typo * Add sudo * Split test steps and manage errors * Add --no-pager to journalctl * Add certs generator * Improve error handling * Update r_test.yml Fix indentation Signed-off-by: Álex Ruiz * Fix error handling * Add testing of RPM packages * Improve multi-os testing * Add TEST env var * Add braces to if conditionals * Remove all curly braches from if conditionals * braces again * Install RPM package in Docker * Remove sudo for RPM installation * Bind artifacts/dist to RPM docker test container * Bind artifacts/dist to RPM docker test container * Avoid prompt during yum install * Fix bind volume --------- Signed-off-by: Álex Ruiz * Remove ecs.version from query.default_fields (#184) * Upload packages to S3 (#179) * Attemtp to automate package's testing * Add workflow file to upload packages to S3 * Skip testing to test whether the upload works * Fix package names * Fix upload workflow name * Pass secrets to the reusable workflow * Fix indentation * Fix indentation * Remove test workflow from this PR * Add boolean input to control when the package is uploaded to the S3 bucket * [UI/UX] Improve inputs description --------- Signed-off-by: Álex Ruiz * Add bash to Docker dev image (#185) * Update wazuh-states-vulnerabilities index mapping (#191) * Update wazuh-states-vulnerabilities index mapping * Extend ECS Vulnerability fields * Add pipeline to generate release packages (#193) * Add script to get the version of OpenSearch * Set revision to 0 by default. - Reduce inputs for scripts. - Add script to generate packages' naming convention. - Make scripts self-aware of the OpenSearch version. * Fix assemble * Smoke test new pipeline to build packages * Fix syntax errors * Update build.yml Signed-off-by: Álex Ruiz * Add workflow to build packages on push * Run actionlint * Fix jq argjson * Fix set matrix output ? * Try new approach using a single workflow * Fix GITHUB_OUTPUT * Fix baptizer invocation * Add testing and upload to new approach * Fix hard coded revision number on RPM assembly * New attempt * Skip upload unless specified * Install plugins on RPM * Promote new approach Removes previous workflows to generate packages * Fix workflow name * Attempt to fix release package naming * Fix build.sh invocation from workflow * Use min package name in workflow * Use min package name for release naming convention in workflow * Attemtp to fix regex * Upgrade to aws-actions/configure-aws-credentials@v4 Clean up * Apply latest requirements Add workflow with single matrix for QA use. Rename inputs. Add checksum input. * Add checksum generation and upload * Use choice as input types for system and architecture * Invoke build single packages with upload option * Add documentation and clean up * Rename scripts folder to packaging_scripts --------- Signed-off-by: Álex Ruiz * Build Docker images (#194) * Assemble tar packages * Add files to generate Docker images First working version * Fix certs path * clean up * Working indexer in Docker * Add documentation to build Docker images Simplify names of Docker build args * Remove unused Docker dependencies --------- Signed-off-by: Álex Ruiz * Add on.workflow_call to build_single.yml workflow (#200) Allows invocation usin the GH API * Add Pyhton module to implement Amazon Security Lake integration (#186) * Migrate from #147 * Update amazon-security-lake integration - Improved documentation. - Python code has been moved to `wazuh-indexer/integrations/amazon-security-lake/src`. - Development environment now uses OpenSearch 2.12.0. - The `wazuh.integration.security.lake` container now displays logs, by watching logstash's log file. - [**NEEDS FIX**] As a temporary solution, the `INDEXER_USERNAME` and `INDEXER_PASSWORD` values have been added as an environment variable to the `wazuh.integration.security.lake` container. These values should be set at Dockerfile level, but isn't working, probably due to permission denied on invocation of the `setup.sh` script. - [**NEEDS FIX**] As a temporary solution, the output file of the `indexer-to-file` pipeline as been moved to `/var/log/logstash/indexer-to-file`. Previous path `/usr/share/logstash/pipeline/indexer-to-file.json` results in permission denied. - [**NEEDS FIX**] As a temporary solution, the input.opensearch.query has been replaced with `match_all`, as the previous one does not return any data, probably to the use of time filters `gt: now-1m`. - Standard output enable for `/usr/share/logstash/pipeline/indexer-to-file.json`. - [**NEEDS FIX**] ECS compatibility disabled: `echo "pipeline.ecs_compatibility: disabled" >> /etc/logstash/logstash.yml` -- to be included automatically - Python3 environment path added to the `indexer-to-integrator` pipeline. * Disable ECS compatibility (auto) - Adds pipeline.ecs_compatibility: disabled at Dockerfile level. - Removes `INDEXER_USERNAME` and `INDEXER_PASSWORD` as environment variables on the `wazuh.integration.security.lake` container. * Add @timestamp field to sample alerts * Fix Logstash pipelines * Add working indexer-to-s3 pipeline * Add working Python script up to S3 upload * Add latest changes * Remove duplicated line * Replace choice with string on workflow_call (#207) * Use AWS_REGION secret (#209) * Add Lambda function for the Amazon Security Lake integration (#189) * Migrate from #147 * Update amazon-security-lake integration - Improved documentation. - Python code has been moved to `wazuh-indexer/integrations/amazon-security-lake/src`. - Development environment now uses OpenSearch 2.12.0. - The `wazuh.integration.security.lake` container now displays logs, by watching logstash's log file. - [**NEEDS FIX**] As a temporary solution, the `INDEXER_USERNAME` and `INDEXER_PASSWORD` values have been added as an environment variable to the `wazuh.integration.security.lake` container. These values should be set at Dockerfile level, but isn't working, probably due to permission denied on invocation of the `setup.sh` script. - [**NEEDS FIX**] As a temporary solution, the output file of the `indexer-to-file` pipeline as been moved to `/var/log/logstash/indexer-to-file`. Previous path `/usr/share/logstash/pipeline/indexer-to-file.json` results in permission denied. - [**NEEDS FIX**] As a temporary solution, the input.opensearch.query has been replaced with `match_all`, as the previous one does not return any data, probably to the use of time filters `gt: now-1m`. - Standard output enable for `/usr/share/logstash/pipeline/indexer-to-file.json`. - [**NEEDS FIX**] ECS compatibility disabled: `echo "pipeline.ecs_compatibility: disabled" >> /etc/logstash/logstash.yml` -- to be included automatically - Python3 environment path added to the `indexer-to-integrator` pipeline. * Disable ECS compatibility (auto) - Adds pipeline.ecs_compatibility: disabled at Dockerfile level. - Removes `INDEXER_USERNAME` and `INDEXER_PASSWORD` as environment variables on the `wazuh.integration.security.lake` container. * Add @timestamp field to sample alerts * Fix Logstash pipelines * Add working indexer-to-s3 pipeline * Add working Python script up to S3 upload * Add latest changes * Remove duplicated line * Add working environment with minimal AWS lambda function * Mount src folder to Lambda's workdir * Add first functional lambda function Tested on local environment, using S3 Ninja and a Lambda container * Working state * Add documentation * Improve code * Improve code * Clean up * Add instructions to build a deployment package * Make zip file lighter * Use default name for aws_region * Add destination bucket validation * Add env var validation and full destination S3 path * Add AWS_ENDPOINT environment variable * Rename AWS_DEFAULT_REGION * Remove unused env vars * Remove unused file and improve documentation a bit. * Makefile improvements * Use dummy env variables --------- Signed-off-by: Álex Ruiz * Bump Java version in Docker environments (#210) * Fix access denied error during log rotation (#212) * Save intermediate OCSF files to an S3 bucket (#218) * Fix Parquet files format (#217) * Fix mapping to Detection Finding OCSF class (#220) * Map events to OCSF's Security Finding class (#221) * Map events to OCSF's Security Finding class * Improve models (inheritance). Add OCSF_CLASS env variable * Move constants to the models * Fix validation error * Add ID input to workflows (#229) * Added id input * Changed name to run-name * Add OPENSEARCH_TMPDIR variable to service and create directory in packages accordingly (#231) * Improve workflow's run-name with tagret system and architeture (#237) * Add documentation for the Amazon Security Lake integration (#226) * Add documentation for the Amazon Security Lake integration * Add images via upload Signed-off-by: Álex Ruiz * Add files via upload Signed-off-by: Álex Ruiz * Use jpeg * Add files via upload Signed-off-by: Álex Ruiz * Fix some typos * Add CONTRIBUTING.md * Apply improvements to the ASL docu --------- Signed-off-by: Álex Ruiz * Rename environment variable (#240) * Remove maintainer-approval.yml (#241) * Improve logging and error handling on ASL Lambda function (#242) * Update .gitattributes (#243) * Change . for : in debian's postinst (#245) * Add integration with Elastic (#248) * Add integration with Elastic Draft * Update Elastic integration Draft * Add Elastic integration folder Draft * Changing the kibana system user * Add Elastic integration Working --------- Co-authored-by: Fede Tux * Added S3 URI output to package generation upload (#249) * Added S3 URI output * Added ID input and S3 URI output * Improved workflow run name * Added name statement * Added name statement * Removed file * Added ID input description * Update build.yml --------- Co-authored-by: Álex Ruiz * Add OpenSearch integration (#258) * Add docker environment * Add README Move files to the corresponding folde * Enable TLS in dashboards --------- Co-authored-by: Álex Ruiz * Add Splunk integration (#257) * Add Splunk integration Draft * Fix certificate errors * Add cfssl container to generate and sign splunk certs * Add cfssl configuration fiels * Update Splunk integration --------- Signed-off-by: Álex Ruiz Co-authored-by: Fede Tux * Add Manager to Elastic integration (#266) * Init commit [DRAFT] Adds a Compose environment * Mount alerts as shared volume instead of file * Update documentation and clean up files --------- Co-authored-by: Fede Tux * Add Manager to Splunk integration (#268) * Add Manager to OpenSearch integration (#267) * Add Manager to OpenSearch integreation Also fixes small issues on other integrations * Add changes to README * Attempt nr.2 to fix #277 (#280) * Testy test test * Update artifact name Skip lintian * Update Mantainers for Debian package metadata * Remove references to indexer-ism-init.sh and wazuh-template.json (#281) * Remove references to indexer-ism-init.sh and wazuh-template.json * Roll back remaining content from ISM rollover+alias feature * Remove commented code --------- Co-authored-by: Álex Ruiz * Bump 4.10.0 (#272) * Merge 4.9.1 into 4.10.0 (#358) * Merge 4.9.1 into 4.10.0 (#358) --------- Signed-off-by: Álex Ruiz * Merge 4.9.2 into 4.10.0 (#378) * Fix build.gradle (#381) * Fix build.gradle * Fix build.gradle * Undo changes * Remove old compose files for integrations (#386) * Delete integrations/docker/amazon-security-lake.yml Signed-off-by: Álex Ruiz * Delete integrations/docker/config directory Signed-off-by: Álex Ruiz * Update vulnerability detector index template (#383) * Update VD index template * Remove host.os.family * Merge 4.9.1 into 4.10.0 (#426) * Fix Performance Analyzer service file (#391) * Update SECURITY.md (#411) * Remove prompt about configuration file overwrites on package upgrade (#410) * Make new config files install with .new prefix * Fix errors and add .new prefix to /etc/init.d/wazuh-indexer * Fix errors in build.sh and assemble.sh * Revert "Fix errors in build.sh and assemble.sh" This reverts commit 5dc35007c0fbd8c6f0a54d35e9118a1936fd08f1. * Using noreplace on config files for rpm * Fix issues in debmake.sh * Revert changes to Debian packages --------- Co-authored-by: Álex Ruiz * Update SECURITY.md (#415) Signed-off-by: Raul Del Pozo Moreno * Add Release Notes 4.9.1-rc1 (#421) --------- Signed-off-by: Raul Del Pozo Moreno Co-authored-by: Fede Galland <99492720+f-galland@users.noreply.github.com> Co-authored-by: Raul Del Pozo Moreno * Bump version to 4.10.1 (#430) * Support new version 4.10.2 (#441) * Enable assembly of ARM packages (#444) * Merge 4.10.1 into 4.10.2 (#473) * Merge 4.10.0 into 4.10.1 (#470) * Upgrade integrations to the last version (#447) * Upgrade third-party integrations to latest product versions (#368) * Upgrade third-party integrations to latest product versions * Improve comtability matrix * Change versions in /integrations/.env Signed-off-by: Malena Casas * Fix Splunk integrations (#362) * Add table with the version of the integrations * Update CHANGELOG.md Signed-off-by: Álex Ruiz --------- Signed-off-by: Malena Casas Signed-off-by: Álex Ruiz Co-authored-by: Álex Ruiz Co-authored-by: JuanGarriuz * Merge 4.9.1 into 4.10.0 (#454) * Prepare 4.9.1-rc2 (#436) * Update docker/README.md (#438) * Support new stage 4.9.1-rc3 (#443) * Update operational--integrations_maintenance_request.md (#449) Signed-off-by: Álex Ruiz --------- Signed-off-by: Álex Ruiz * Fix Github Actions build process dependency errors (#457) * Switch from latest to 22.04 runner * Remove non-existant packages from workflow provisioner * Remove freeglut3 from provision.sh * Update calendarTime and scan_date fields type (#458) * Merge 4.9.1 into 4.10.0 (#469) * Support for v4.9.1-alpha4 (#461) * Prepare final release notes for 4.9.1 --------- Signed-off-by: Malena Casas Signed-off-by: Álex Ruiz Co-authored-by: Malena Casas Co-authored-by: JuanGarriuz Co-authored-by: Fede Galland <99492720+f-galland@users.noreply.github.com> Co-authored-by: Kevin Ledesma * Fix release date for 4.10.0 in RPM spec file * Fix release date for 4.10.0 in RPM spec file --------- Signed-off-by: Malena Casas Signed-off-by: Álex Ruiz Co-authored-by: Malena Casas Co-authored-by: JuanGarriuz Co-authored-by: Fede Galland <99492720+f-galland@users.noreply.github.com> Co-authored-by: Kevin Ledesma * Remove packaging_scripts folder * Remove duplicated files * Fix build.yml --------- Signed-off-by: Álex Ruiz Signed-off-by: Fede Tux Signed-off-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> Signed-off-by: Raul Del Pozo Moreno Signed-off-by: Malena Casas Co-authored-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> Co-authored-by: Fede Tux Co-authored-by: Fede Tux Co-authored-by: Raul Del Pozo Moreno Co-authored-by: Malena Casas Co-authored-by: JuanGarriuz Co-authored-by: Kevin Ledesma * Fix tar packages plugin bundling (#466) * Removing extra unneeded directory change command * Change directory to repo root * Making assemble.sh look for plugins in the artifacts folder * Putting the uncompressed directory into a variable * Fix assembled tar compression directory * Remove pwd --------- Co-authored-by: Álex Ruiz * Implement Vagrantfile for generic testing environment (#474) * Add Vagrantfile and config.yml for generic testing environment setup * Rename vagrantfile storing directory * Add vagrant basic environment README.md * Remove basic_env folder * Fix typo on Vagrantfile * Add pre-start bash script to generate the certificates --------- Co-authored-by: Álex Ruiz * Fix pre-start.sh script for Vagrant environment (#479) * Fix openssl error at generating wazuh credentials * Remove installation of unused sspass package * Reduce RAM to 4 GB per node --------- Co-authored-by: Álex Ruiz * Apply states-vulnerabilities index pattern fix (#483) * Remove tailing hyphen from the states-vulnerabilities index pattern * Use latest version of the states-vulnerabilities index template For real this time * Fix template-settings fields (#490) * Update vulnerabilities template-settings fields * Update ecs templates definitions * Update packages destination to 5.x S3 bucket (#495) * Delete compatibility setting in opeansearch.prod.yml (#504) * Save plugins and reporting repo hashes on workflow variable and updat… (#502) * Save plugins and reporting repo hashes on workflow variable and update baptizer script to use it on package naming * Update GHA workflow to save hash on global variable * Update GHA to use env * Update GHA workflow to save the hash on a output variable * Fix environment variable usage * Update baptizer to receive the repositories hashes by parameter Update build GHA to send hashes by parameters to the baptizer script * Update build-scripts README.md with new baptizer parameters * Update build GHA workflow to show the URL of the uploaded package at the job view * Update GHA build workflow to always upload package to the S3 bucket Remove 'upload' check on workflow input * Restore upload input and corresponding validations * Remove commented lines * Merge 4.10.2 into master (#514) * Init wazuh-indexer (#3) * Update CODEOWNERS * Update README.md and SECURITY.md * Add Wazuh configuration files * Update README.md Signed-off-by: Álex Ruiz * Create codeql.yml Signed-off-by: Álex Ruiz * Update dependabot.yml Signed-off-by: Álex Ruiz * Update SECURITY.md (#30) Signed-off-by: Álex Ruiz * Add ECS mappings generator (#36) * Add ECS mappings generator, documentation and files for vulnerability detector * Add event generator script * Update template settings --------- Signed-off-by: Álex Ruiz * Add default query fields to vulnerability detector index (#40) * Add ECS mappings generator, documentation and files for vulnerability detector * Add event generator script * Add default query fields --------- Signed-off-by: Álex Ruiz * Create gradle_build.yml Signed-off-by: Álex Ruiz * Update gradle_build.yml Signed-off-by: Álex Ruiz * Add a script to configure the rollover policy (#49) * Update ISM init script (#50) * Fix bug with -i option (#51) * Fix bug with -i option * Improve error handling * Update min_doc_count value (#52) * Improve ISM init script (#57) * Improve ISM init script * Change log file path * Update distribution files (#59) * Update config files * Add VERSION file * Update documentation of the ECS tooling (#67) * Add workflow for package generation (#65) * Ignore artifacts folder * Update build script - Updated to v2.11.0 version. - Skipped compilation of the plugins - The artifact nameis sent to a text file, to access it easily in GitHub Actions. * Add GH action to build min packages * Remove commented code * Remove unused code * Add docker compose environment (#66) * Add very basic Docker environment That will do for now * Add latest changes * Update Docker environment - Remove build.md which was included by mistake. - Improve dev.sh script. - Update .gitignore to exclude artifacts folder. - Create .dockerignore file. - Replace get_version.sh script with inline command. - Reduce image size by using alpine as base image. --------- Signed-off-by: Álex Ruiz * Rename packages to wazuh-indexer (#69) * Rename packages to wazuh-indexer * Include VERSION file into packages * Apply Wazuh version to packages names * Improve build.sh script Apply suggestions from ShellCheck * Update vulnerability index mappings (#75) * Remove 'events' ECS field * Add 'wazuh' custom field * Update event_generator.py for vulnerability detector * Update `indexer-ism-init.sh` (#81) Updates the script to upload the wazuh-template.json to the indexer. Signed-off-by: Álex Ruiz * Add workflow to assemble packages (#85) * Add script to assemble arm64 and x64 archives (tar) * Cleanup * Update config file with latest upstream changes * Change packages maintainer information * Fix wrong substitution of config files * Update dockerignore to ignore git folder * Update wazuh-indexer.rpm.spec Remove unnecessary echo commands * Add wazuh-indexer-performance-analyzer.service Required to assembly RPM. The plugin does not install this file, so it needs to be added manually. * Update assemble.sh Successfully assemble RPM x64. Runner needed to arm64 * Update `build.yml` * Add WIP documentation for packages' generation * Test new approach using reusable workflows * Fix errors * Restructure reusable workflow * Fix upload and download paths * New try - Adds a reusable workflow to return the version of Wazuh set in source code. - Attempt to dynamically generate artifacts name to normalize them for usage between jobs. - Adds revision as input for the workflow. - Cleanup * Emulate assemble to test upload of the reusable assembly workflow * Add Caching Gradle dependencies * Remove extra '-' in the packages names on the assembly job * Final cleanup * Enable RPM package assemble Remove unused code * Fix regex to get package name * Fix download-artifact destination path * Exclude unimplemented deb assembly Extend example to run with Act * Fix yellow cluster state (#95) * Add template and settings to disable replicas on ISM plugin internal indices * Fix documentation Replaces exit 1 statements with return 1 * Fix uncommented comment line * Update ism-init script (#97) * Update ism-init script to parametrize the path of the wazuh-template --------- Signed-off-by: Álex Ruiz * Add tools to assemble DEB packages (#96) * Add tools to assemble DEB packages * Move wazuh-indexer-performance-analyzer.service to common * Enable assembly of DEB packages * Enable full set of plugins * Actually skip tar assembly * Add installation of dependencies for DEB assembly * Install dependencies using sudo * Format files * Refactor assemble script * Update README.md Signed-off-by: Álex Ruiz * Build scripts and GH workflows artifacts naming fix (#112) * Build scripts and GH workflows artifacts naming fix * Add git to dev docker image * Fixing jobs' inputs and outputs * remove name input from r_assemble.yml * Setting qualifier to 1 when not specified * Add revision flag to scripts and workflow * Fix copying of packages at assemble.sh * Use suffix variable instead of architecture * Fix suffix name in assemble.sh * Mix solutions to comply with the package naming convention * Remove unused code * Use correct name for assembled package Remove code no longer needed * Remove outdated comments --------- Co-authored-by: Álex Ruiz * Use short SHA as Git reference in packages naming (#100) * Switching to short SHA commit form in package names Signed-off-by: Fede Tux * Update r_commit_sha.yml Signed-off-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> * Update r_commit_sha.yml Signed-off-by: Álex Ruiz --------- Signed-off-by: Fede Tux Signed-off-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> Signed-off-by: Álex Ruiz Co-authored-by: Fede Tux Co-authored-by: Álex Ruiz * Remove unneeded files from assembled packages (#115) * add remove files function to assemble.sh * Remove unneeded files on assembled tar packages * Remove duplicated function Fix wrong variable assignment --------- Co-authored-by: Álex Ruiz * Add missing tools and files back into Wazuh Indexer packages (#117) * add remove files function to assemble.sh * Remove unneeded files on assembled tar packages * Remove duplicated function Fix wrong variable assignment * Adding function to package Wazuh`s tools to assemble.sh * Make the files' versions follow the repo's VERSION file * Fix download of Wazuh tools for packages assembly --------- Signed-off-by: Álex Ruiz Co-authored-by: Álex Ruiz * Remove unneeded symbolic links from assembled packages (#121) * Update issue templates (#127) * Fix RPM package references to /var/run (#119) * Switch /var/run references to /run * Remove unneeded files from assembled packages (#115) * add remove files function to assemble.sh * Remove unneeded files on assembled tar packages * Remove duplicated function Fix wrong variable assignment --------- Co-authored-by: Álex Ruiz * Add missing tools and files back into Wazuh Indexer packages (#117) * add remove files function to assemble.sh * Remove unneeded files on assembled tar packages * Remove duplicated function Fix wrong variable assignment * Adding function to package Wazuh`s tools to assemble.sh * Make the files' versions follow the repo's VERSION file * Fix download of Wazuh tools for packages assembly --------- Signed-off-by: Álex Ruiz Co-authored-by: Álex Ruiz * Remove unneeded symbolic links from assembled packages (#121) * Remove reference to install_demo_configuration.sh --------- Signed-off-by: Álex Ruiz Co-authored-by: Álex Ruiz * Removing post-install message from wazuh-indexer.rpm.spec (#131) * Add tests to the packages building process (#132) Runs the workflow on pull request changes * Get Wazuh version from VERSION file (#122) * Add function to look for VERSION in the correct path * Update assemble.sh Adds wget as dependency * Download files using curl instead of wget * Update assemble.sh Revert assembly with minimal plugins for testing Signed-off-by: Álex Ruiz * Add Dockerfile and docker-compose for the package assembly stage * Assemble packages with minimal plugin set when "test" variable is set to "true" * Update README with assemble.sh docker image * Fixing env variable naming convention and removing wget dependency * Improve Docker environments Adds environments to build packages * Fix small typos * More fixes * Add documentation * Adding -p flag to mkdir so it doesnt fail when the folder is already present * Format files --------- Signed-off-by: Álex Ruiz Co-authored-by: Álex Ruiz * Removing /usr/share/lintian/overrides/wazuh-indexer from deb packages (#130) Co-authored-by: Álex Ruiz * Add `wazuh-template.json` to packages (#116) * Download wazuh-template.json from wazuh/wazuh repo * Add wazuh-template.json to RPM package spec * Setting wazuh-template.json attributes to 660 * Change wazuh-template.json attributes in debmake_install.sh * Put template download command within a function * Small fixes and format * Apply correct file permissions to the wazuh-template.json --------- Co-authored-by: Álex Ruiz * Adding Debian packaging config files from Opensearch (#118) * Adding debian packaging config files from Opensearch * Copy debian/ folder to the build dir for debmake to parse * Remove redundant steps from debian/postinst --------- Co-authored-by: Álex Ruiz * Fix Build workflow to run on push events (#134) * Run workflow on push * Set build workflow inputs to required * Normalize the use of quotes for the build workflow inputs * Add ternary operator * Add missing ternary operator * Use maven for plugin download (#139) * Fine tuning permissions on RPM spec file * Get plugins using maven * Rolling back changes to spec file * Format files --------- Co-authored-by: Álex Ruiz * Add new custom field to the vulnerability detector index (#141) * Add new custom field to the vulnerability detector index * Update event generator tool * Remove base.labels ECS field from wazuh-states-vulnerabilities index mappings * Fine tuning permissions on assembled packages (#137) * Fine tuning permissions on RPM spec file * Build a list of files to be packaged excluding items that need special permissions * Fix bad permissions on directories * Remove system directories from packaging definition * Changing permissions on deb packages * Skip unneeded dh_fixperms stage in debian/rules * Clean & format --------- Co-authored-by: Álex Ruiz * Init. Amazon Security Lake integration (#143) * Init. Amazon Security Lake integration Signed-off-by: Álex Ruiz * Add events generator tool for `wazuh-alerts` (#152) * Add events generator tool for wazuh-alerts * Fix typo in README.md Signed-off-by: Álex Ruiz * Make timestamps timezone aware --------- Signed-off-by: Álex Ruiz Co-authored-by: Fede Tux * Add `wazuh.manager.name` to VD mappings (#158) * Create compatibility_request.md (#163) Signed-off-by: Álex Ruiz * Add Python module to accomplish OCSF compliant events (#159) * Adding Python script that receives a continuous json stream over stdin and outputs parquet to Security Lake * Adding logstash pipeline for python script * encode_parquet() function fixed to handle lists of dictionaries * Correct error in encode_parquet() * Avoid storing the block ending in the output buffer * Add comments on handling files and streams with pyarrow for future reference * Add s3 handling reference links * Write parquet directly to bucket * Added basics of map_to_ocsf() function * Minor fixes * Map alerts to OCSF as they are read * Add script to convert Wazuh events to OCSF Also adds a simple test script * Add OCSF converter + Parquet encoder + test scripts * Update .gitignore * Include the contents of the alert under unmapped * Add support for different OCSF schema versions * Use custom ocsf module to map alerts * Modify script to use converter class * Code polish and fix errors * Remove unnecessary type declaration from debug flag * Improved parquet encoding * Initial commit for test env's docker-compose.yml * Remove sudo references from docker-compose.yml * Add operational Python module to transform events to OCSF * Create minimal Docker environment to test and develop the integration. * Fix events-generator's Inventory starvation * Remove files present in #147 * Cleanup * Add FQDN hostnames to services for certificates creation * Add S3 Ninja (Mock) (#165) * Setup certificates in Wazuh Indexer and Logstash containers (#166) * Add certificate generator service * Add certificate config to docker compose file * Use secrets for certificates * Disable permission handling inside cert's generator entrypoint.sh * Back to using a bind mount for certs * Have entrypoint.sh generate certs with 1000:1000 ownership * Correct certificate permissions and bind mounting * Add security initialization variable to compose file * Fix permissions on certs generator entrypoint * Add cert generator config file * Remove old cert generator dir * Set indexer hostname right in pipeline file * Roll back commented code --------- Signed-off-by: Álex Ruiz Co-authored-by: Álex Ruiz * Fix Logstash pipelines * Remove unused file * Implement OCSF severity normalize function --------- Signed-off-by: Álex Ruiz Co-authored-by: Fede Tux Co-authored-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> * Update Gradle setup action (#182) * Attemtp to automate package's testing * Fix typo * Update setup gradle action * Remove file from another PR * Update build.yml Signed-off-by: Álex Ruiz --------- Signed-off-by: Álex Ruiz * Update vulnerability-states fields (#177) * Update vulnerability-states fields Adds wazuh.schema.version * Update events generator * Automate package's testing (#178) * Attemtp to automate package's testing * Fix typo * Add sudo * Split test steps and manage errors * Add --no-pager to journalctl * Add certs generator * Improve error handling * Update r_test.yml Fix indentation Signed-off-by: Álex Ruiz * Fix error handling * Add testing of RPM packages * Improve multi-os testing * Add TEST env var * Add braces to if conditionals * Remove all curly braches from if conditionals * braces again * Install RPM package in Docker * Remove sudo for RPM installation * Bind artifacts/dist to RPM docker test container * Bind artifacts/dist to RPM docker test container * Avoid prompt during yum install * Fix bind volume --------- Signed-off-by: Álex Ruiz * Remove ecs.version from query.default_fields (#184) * Upload packages to S3 (#179) * Attemtp to automate package's testing * Add workflow file to upload packages to S3 * Skip testing to test whether the upload works * Fix package names * Fix upload workflow name * Pass secrets to the reusable workflow * Fix indentation * Fix indentation * Remove test workflow from this PR * Add boolean input to control when the package is uploaded to the S3 bucket * [UI/UX] Improve inputs description --------- Signed-off-by: Álex Ruiz * Add bash to Docker dev image (#185) * Update wazuh-states-vulnerabilities index mapping (#191) * Update wazuh-states-vulnerabilities index mapping * Extend ECS Vulnerability fields * Add pipeline to generate release packages (#193) * Add script to get the version of OpenSearch * Set revision to 0 by default. - Reduce inputs for scripts. - Add script to generate packages' naming convention. - Make scripts self-aware of the OpenSearch version. * Fix assemble * Smoke test new pipeline to build packages * Fix syntax errors * Update build.yml Signed-off-by: Álex Ruiz * Add workflow to build packages on push * Run actionlint * Fix jq argjson * Fix set matrix output ? * Try new approach using a single workflow * Fix GITHUB_OUTPUT * Fix baptizer invocation * Add testing and upload to new approach * Fix hard coded revision number on RPM assembly * New attempt * Skip upload unless specified * Install plugins on RPM * Promote new approach Removes previous workflows to generate packages * Fix workflow name * Attempt to fix release package naming * Fix build.sh invocation from workflow * Use min package name in workflow * Use min package name for release naming convention in workflow * Attemtp to fix regex * Upgrade to aws-actions/configure-aws-credentials@v4 Clean up * Apply latest requirements Add workflow with single matrix for QA use. Rename inputs. Add checksum input. * Add checksum generation and upload * Use choice as input types for system and architecture * Invoke build single packages with upload option * Add documentation and clean up * Rename scripts folder to packaging_scripts --------- Signed-off-by: Álex Ruiz * Build Docker images (#194) * Assemble tar packages * Add files to generate Docker images First working version * Fix certs path * clean up * Working indexer in Docker * Add documentation to build Docker images Simplify names of Docker build args * Remove unused Docker dependencies --------- Signed-off-by: Álex Ruiz * Add on.workflow_call to build_single.yml workflow (#200) Allows invocation usin the GH API * Add Pyhton module to implement Amazon Security Lake integration (#186) * Migrate from #147 * Update amazon-security-lake integration - Improved documentation. - Python code has been moved to `wazuh-indexer/integrations/amazon-security-lake/src`. - Development environment now uses OpenSearch 2.12.0. - The `wazuh.integration.security.lake` container now displays logs, by watching logstash's log file. - [**NEEDS FIX**] As a temporary solution, the `INDEXER_USERNAME` and `INDEXER_PASSWORD` values have been added as an environment variable to the `wazuh.integration.security.lake` container. These values should be set at Dockerfile level, but isn't working, probably due to permission denied on invocation of the `setup.sh` script. - [**NEEDS FIX**] As a temporary solution, the output file of the `indexer-to-file` pipeline as been moved to `/var/log/logstash/indexer-to-file`. Previous path `/usr/share/logstash/pipeline/indexer-to-file.json` results in permission denied. - [**NEEDS FIX**] As a temporary solution, the input.opensearch.query has been replaced with `match_all`, as the previous one does not return any data, probably to the use of time filters `gt: now-1m`. - Standard output enable for `/usr/share/logstash/pipeline/indexer-to-file.json`. - [**NEEDS FIX**] ECS compatibility disabled: `echo "pipeline.ecs_compatibility: disabled" >> /etc/logstash/logstash.yml` -- to be included automatically - Python3 environment path added to the `indexer-to-integrator` pipeline. * Disable ECS compatibility (auto) - Adds pipeline.ecs_compatibility: disabled at Dockerfile level. - Removes `INDEXER_USERNAME` and `INDEXER_PASSWORD` as environment variables on the `wazuh.integration.security.lake` container. * Add @timestamp field to sample alerts * Fix Logstash pipelines * Add working indexer-to-s3 pipeline * Add working Python script up to S3 upload * Add latest changes * Remove duplicated line * Replace choice with string on workflow_call (#207) * Use AWS_REGION secret (#209) * Add Lambda function for the Amazon Security Lake integration (#189) * Migrate from #147 * Update amazon-security-lake integration - Improved documentation. - Python code has been moved to `wazuh-indexer/integrations/amazon-security-lake/src`. - Development environment now uses OpenSearch 2.12.0. - The `wazuh.integration.security.lake` container now displays logs, by watching logstash's log file. - [**NEEDS FIX**] As a temporary solution, the `INDEXER_USERNAME` and `INDEXER_PASSWORD` values have been added as an environment variable to the `wazuh.integration.security.lake` container. These values should be set at Dockerfile level, but isn't working, probably due to permission denied on invocation of the `setup.sh` script. - [**NEEDS FIX**] As a temporary solution, the output file of the `indexer-to-file` pipeline as been moved to `/var/log/logstash/indexer-to-file`. Previous path `/usr/share/logstash/pipeline/indexer-to-file.json` results in permission denied. - [**NEEDS FIX**] As a temporary solution, the input.opensearch.query has been replaced with `match_all`, as the previous one does not return any data, probably to the use of time filters `gt: now-1m`. - Standard output enable for `/usr/share/logstash/pipeline/indexer-to-file.json`. - [**NEEDS FIX**] ECS compatibility disabled: `echo "pipeline.ecs_compatibility: disabled" >> /etc/logstash/logstash.yml` -- to be included automatically - Python3 environment path added to the `indexer-to-integrator` pipeline. * Disable ECS compatibility (auto) - Adds pipeline.ecs_compatibility: disabled at Dockerfile level. - Removes `INDEXER_USERNAME` and `INDEXER_PASSWORD` as environment variables on the `wazuh.integration.security.lake` container. * Add @timestamp field to sample alerts * Fix Logstash pipelines * Add working indexer-to-s3 pipeline * Add working Python script up to S3 upload * Add latest changes * Remove duplicated line * Add working environment with minimal AWS lambda function * Mount src folder to Lambda's workdir * Add first functional lambda function Tested on local environment, using S3 Ninja and a Lambda container * Working state * Add documentation * Improve code * Improve code * Clean up * Add instructions to build a deployment package * Make zip file lighter * Use default name for aws_region * Add destination bucket validation * Add env var validation and full destination S3 path * Add AWS_ENDPOINT environment variable * Rename AWS_DEFAULT_REGION * Remove unused env vars * Remove unused file and improve documentation a bit. * Makefile improvements * Use dummy env variables --------- Signed-off-by: Álex Ruiz * Bump Java version in Docker environments (#210) * Fix access denied error during log rotation (#212) * Save intermediate OCSF files to an S3 bucket (#218) * Fix Parquet files format (#217) * Fix mapping to Detection Finding OCSF class (#220) * Map events to OCSF's Security Finding class (#221) * Map events to OCSF's Security Finding class * Improve models (inheritance). Add OCSF_CLASS env variable * Move constants to the models * Fix validation error * Add ID input to workflows (#229) * Added id input * Changed name to run-name * Add OPENSEARCH_TMPDIR variable to service and create directory in packages accordingly (#231) * Improve workflow's run-name with tagret system and architeture (#237) * Add documentation for the Amazon Security Lake integration (#226) * Add documentation for the Amazon Security Lake integration * Add images via upload Signed-off-by: Álex Ruiz * Add files via upload Signed-off-by: Álex Ruiz * Use jpeg * Add files via upload Signed-off-by: Álex Ruiz * Fix some typos * Add CONTRIBUTING.md * Apply improvements to the ASL docu --------- Signed-off-by: Álex Ruiz * Rename environment variable (#240) * Remove maintainer-approval.yml (#241) * Improve logging and error handling on ASL Lambda function (#242) * Update .gitattributes (#243) * Change . for : in debian's postinst (#245) * Add integration with Elastic (#248) * Add integration with Elastic Draft * Update Elastic integration Draft * Add Elastic integration folder Draft * Changing the kibana system user * Add Elastic integration Working --------- Co-authored-by: Fede Tux * Added S3 URI output to package generation upload (#249) * Added S3 URI output * Added ID input and S3 URI output * Improved workflow run name * Added name statement * Added name statement * Removed file * Added ID input description * Update build.yml --------- Co-authored-by: Álex Ruiz * Add OpenSearch integration (#258) * Add docker environment * Add README Move files to the corresponding folde * Enable TLS in dashboards --------- Co-authored-by: Álex Ruiz * Add Splunk integration (#257) * Add Splunk integration Draft * Fix certificate errors * Add cfssl container to generate and sign splunk certs * Add cfssl configuration fiels * Update Splunk integration --------- Signed-off-by: Álex Ruiz Co-authored-by: Fede Tux * Add Manager to Elastic integration (#266) * Init commit [DRAFT] Adds a Compose environment * Mount alerts as shared volume instead of file * Update documentation and clean up files --------- Co-authored-by: Fede Tux * Add Manager to Splunk integration (#268) * Add Manager to OpenSearch integration (#267) * Add Manager to OpenSearch integreation Also fixes small issues on other integrations * Add changes to README * Attempt nr.2 to fix #277 (#280) * Testy test test * Update artifact name Skip lintian * Update Mantainers for Debian package metadata * Remove references to indexer-ism-init.sh and wazuh-template.json (#281) * Remove references to indexer-ism-init.sh and wazuh-template.json * Roll back remaining content from ISM rollover+alias feature * Remove commented code --------- Co-authored-by: Álex Ruiz * Bump 4.10.0 (#272) * Merge 4.9.1 into 4.10.0 (#358) * Merge 4.9.1 into 4.10.0 (#358) --------- Signed-off-by: Álex Ruiz * Merge 4.9.2 into 4.10.0 (#378) * Fix build.gradle (#381) * Fix build.gradle * Fix build.gradle * Undo changes * Remove old compose files for integrations (#386) * Delete integrations/docker/amazon-security-lake.yml Signed-off-by: Álex Ruiz * Delete integrations/docker/config directory Signed-off-by: Álex Ruiz * Update vulnerability detector index template (#383) * Update VD index template * Remove host.os.family * Merge 4.9.1 into 4.10.0 (#426) * Fix Performance Analyzer service file (#391) * Update SECURITY.md (#411) * Remove prompt about configuration file overwrites on package upgrade (#410) * Make new config files install with .new prefix * Fix errors and add .new prefix to /etc/init.d/wazuh-indexer * Fix errors in build.sh and assemble.sh * Revert "Fix errors in build.sh and assemble.sh" This reverts commit 5dc35007c0fbd8c6f0a54d35e9118a1936fd08f1. * Using noreplace on config files for rpm * Fix issues in debmake.sh * Revert changes to Debian packages --------- Co-authored-by: Álex Ruiz * Update SECURITY.md (#415) Signed-off-by: Raul Del Pozo Moreno * Add Release Notes 4.9.1-rc1 (#421) --------- Signed-off-by: Raul Del Pozo Moreno Co-authored-by: Fede Galland <99492720+f-galland@users.noreply.github.com> Co-authored-by: Raul Del Pozo Moreno * Bump version to 4.10.1 (#430) * Support new version 4.10.2 (#441) * Enable assembly of ARM packages (#444) * Merge 4.10.1 into 4.10.2 (#473) * Merge 4.10.0 into 4.10.1 (#470) * Upgrade integrations to the last version (#447) * Upgrade third-party integrations to latest product versions (#368) * Upgrade third-party integrations to latest product versions * Improve comtability matrix * Change versions in /integrations/.env Signed-off-by: Malena Casas * Fix Splunk integrations (#362) * Add table with the version of the integrations * Update CHANGELOG.md Signed-off-by: Álex Ruiz --------- Signed-off-by: Malena Casas Signed-off-by: Álex Ruiz Co-authored-by: Álex Ruiz Co-authored-by: JuanGarriuz * Merge 4.9.1 into 4.10.0 (#454) * Prepare 4.9.1-rc2 (#436) * Update docker/README.md (#438) * Support new stage 4.9.1-rc3 (#443) * Update operational--integrations_maintenance_request.md (#449) Signed-off-by: Álex Ruiz --------- Signed-off-by: Álex Ruiz * Fix Github Actions build process dependency errors (#457) * Switch from latest to 22.04 runner * Remove non-existant packages from workflow provisioner * Remove freeglut3 from provision.sh * Update calendarTime and scan_date fields type (#458) * Merge 4.9.1 into 4.10.0 (#469) * Support for v4.9.1-alpha4 (#461) * Prepare final release notes for 4.9.1 --------- Signed-off-by: Malena Casas Signed-off-by: Álex Ruiz Co-authored-by: Malena Casas Co-authored-by: JuanGarriuz Co-authored-by: Fede Galland <99492720+f-galland@users.noreply.github.com> Co-authored-by: Kevin Ledesma * Fix release date for 4.10.0 in RPM spec file * Fix release date for 4.10.0 in RPM spec file --------- Signed-off-by: Malena Casas Signed-off-by: Álex Ruiz Co-authored-by: Malena Casas Co-authored-by: JuanGarriuz Co-authored-by: Fede Galland <99492720+f-galland@users.noreply.github.com> Co-authored-by: Kevin Ledesma * Merge 4.10.1 into 4.10.2 (#513) * Merge 4.10.0 into 4.10.1 (#470) * Upgrade integrations to the last version (#447) * Upgrade third-party integrations to latest product versions (#368) * Upgrade third-party integrations to latest product versions * Improve comtability matrix * Change versions in /integrations/.env Signed-off-by: Malena Casas * Fix Splunk integrations (#362) * Add table with the version of the integrations * Update CHANGELOG.md Signed-off-by: Álex Ruiz --------- Signed-off-by: Malena Casas Signed-off-by: Álex Ruiz Co-authored-by: Álex Ruiz Co-authored-by: JuanGarriuz * Merge 4.9.1 into 4.10.0 (#454) * Prepare 4.9.1-rc2 (#436) * Update docker/README.md (#438) * Support new stage 4.9.1-rc3 (#443) * Update operational--integrations_maintenance_request.md (#449) Signed-off-by: Álex Ruiz --------- Signed-off-by: Álex Ruiz * Fix Github Actions build process dependency errors (#457) * Switch from latest to 22.04 runner * Remove non-existant packages from workflow provisioner * Remove freeglut3 from provision.sh * Update calendarTime and scan_date fields type (#458) * Merge 4.9.1 into 4.10.0 (#469) * Support for v4.9.1-alpha4 (#461) * Prepare final release notes for 4.9.1 --------- Signed-off-by: Malena Casas Signed-off-by: Álex Ruiz Co-authored-by: Malena Casas Co-authored-by: JuanGarriuz Co-authored-by: Fede Galland <99492720+f-galland@users.noreply.github.com> Co-authored-by: Kevin Ledesma * Fix release date for 4.10.0 in RPM spec file Signed-off-by: Álex Ruiz * Merge 4.10.0 into 4.10.1 (#511) * Upgrade integrations to the last version (#447) * Upgrade third-party integrations to latest product versions (#368) * Upgrade third-party integrations to latest product versions * Improve comtability matrix * Change versions in /integrations/.env Signed-off-by: Malena Casas * Fix Splunk integrations (#362) * Add table with the version of the integrations * Update CHANGELOG.md Signed-off-by: Álex Ruiz --------- Signed-off-by: Malena Casas Signed-off-by: Álex Ruiz Co-authored-by: Álex Ruiz Co-authored-by: JuanGarriuz * Merge 4.9.1 into 4.10.0 (#454) * Prepare 4.9.1-rc2 (#436) * Update docker/README.md (#438) * Support new stage 4.9.1-rc3 (#443) * Update operational--integrations_maintenance_request.md (#449) Signed-off-by: Álex Ruiz --------- Signed-off-by: Álex Ruiz * Fix Github Actions build process dependency errors (#457) * Switch from latest to 22.04 runner * Remove non-existant packages from workflow provisioner * Remove freeglut3 from provision.sh * Update calendarTime and scan_date fields type (#458) * Merge 4.9.1 into 4.10.0 (#469) * Support for v4.9.1-alpha4 (#461) * Prepare final release notes for 4.9.1 * Fix release date for 4.10.0 in RPM spec file (#471) * Preserve status of wazuh-indexer on upgrade (#498) * Update pre and post inst scripts for deb and rpm to store and restore service status * Update prerm script to avoid stopping the service on upgrade * Remove extra spaces and update rpm restart command * Merge 4.9.2 into 4.10.0 (#510) * Support for v4.9.1-alpha4 (#461) * Prepare final release notes for 4.9.1 * Support new version 4.9.2 (#494) * Support new version 4.9.2 * Add estimated release date for 4.9.2 * Fix estimates release date for 4.9.2 * Fix 4.9.1 release notes title --------- Signed-off-by: Álex Ruiz --------- Signed-off-by: Malena Casas Signed-off-by: Álex Ruiz Co-authored-by: Malena Casas Co-authored-by: JuanGarriuz Co-authored-by: Fede Galland <99492720+f-galland@users.noreply.github.com> Co-authored-by: Kevin Ledesma Signed-off-by: Álex Ruiz --------- Signed-off-by: Malena Casas Signed-off-by: Álex Ruiz Co-authored-by: Malena Casas Co-authored-by: JuanGarriuz Co-authored-by: Fede Galland <99492720+f-galland@users.noreply.github.com> Co-authored-by: Kevin Ledesma --------- Signed-off-by: Álex Ruiz Signed-off-by: Fede Tux Signed-off-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> Signed-off-by: Raul Del Pozo Moreno Signed-off-by: Malena Casas Co-authored-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> Co-authored-by: Fede Tux Co-authored-by: Fede Tux Co-authored-by: Raul Del Pozo Moreno Co-authored-by: Malena Casas Co-authored-by: JuanGarriuz Co-authored-by: Kevin Ledesma * Add bash scripts for MVP validation tests (#482) * Add MVP validation tests bash scripts * Add validations for generated index-patterns * Update scripts to support debian ARM * Update validations scripts to be able to use the generated package name * Add argument to define certificates path * Update OS detection on scripts * Add dependencies validations * Add usage description to each script and a simple README * Add dependencies validations * Fix typos * Apply SpellCheck linter recommendations * Skip checks related to SC2181 where the fix is not applicable * Remove unnecesary double quotes from certificates generation script * Update variable quoting * Provision VMs with dependencies for the testing scripts Copy the scripts to the VMs auto. * Merge scripts 00 and 01 making it easier to get the package from GHA artifacts Update the tests scripts README * Optimize test scripts * Add sleep after clister initialization * Update README and improve scripts output logs Fix script 00 to work on any node Remove unwanted outputs from executed commands * Update execution guide on README * Add conditional to remove certs directory if already exists Update default IP detection * Add sleep to avoid requesting to the API before cluster is initialized * Add index force merge for the command_manager plugin index * Avoid errors due to race conditions --------- Co-authored-by: Álex Ruiz * Create feature_template.md Signed-off-by: Álex Ruiz * Upgrade third-party integrations to latest versions available (#519) * Update Elastic Stack and Wazuh versions * Add 'build' block on logstash component definition * Update README compatibility matrix * Update OpenSearch integration version to 2.18.0 * Update README compatibility matrix with new OpenSearch version * Update CI workflow (#529) * Update CI workflow * Format files --------- Signed-off-by: Álex Ruiz Signed-off-by: Fede Tux Signed-off-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> Signed-off-by: Raul Del Pozo Moreno Signed-off-by: Malena Casas Co-authored-by: Federico Gustavo Galland <99492720+f-galland@users.noreply.github.com> Co-authored-by: Fede Tux Co-authored-by: Fede Tux Co-authored-by: Raul Del Pozo Moreno Co-authored-by: Malena Casas Co-authored-by: JuanGarriuz Co-authored-by: Kevin Ledesma --- .gitattributes | 9 + .github/CODEOWNERS | 26 +- .github/ISSUE_TEMPLATE/bug_template.md | 2 +- .../ISSUE_TEMPLATE/compatibility_request.md | 24 + .github/ISSUE_TEMPLATE/compatibility_test.md | 27 + .github/ISSUE_TEMPLATE/feature_request.md | 2 +- .github/ISSUE_TEMPLATE/feature_template.md | 23 + ...ional--integrations_maintenance_request.md | 30 + .github/dependabot.yml | 175 ++ .github/workflows/build.yml | 327 +++ .github/workflows/ci.yml | 21 + .github/workflows/codeql.yml | 78 + .github/workflows/maintainer-approval.yml | 32 - .github/workflows/version_check.yml | 15 + .gitignore | 13 +- CHANGELOG.md | 5 +- README.md | 40 +- SECURITY.md | 46 +- VERSION | 1 + build-scripts/README.md | 273 +++ build-scripts/act.input.env | 9 + build-scripts/assemble.sh | 440 ++++ build-scripts/baptizer.sh | 169 ++ build-scripts/build.sh | 190 ++ build-scripts/check-version.sh | 11 + build-scripts/provision.sh | 10 + build-scripts/upstream-version.sh | 5 + ...nternalDistributionArchiveSetupPlugin.java | 2 +- .../InternalDistributionBwcSetupPlugin.java | 8 +- distribution/archives/build.gradle | 6 +- distribution/build.gradle | 41 +- distribution/docker/build.gradle | 2 +- distribution/docker/docker-compose.yml | 4 +- distribution/docker/docker-test-entrypoint.sh | 4 +- distribution/docker/src/docker/Dockerfile | 24 +- .../src/docker/bin/docker-entrypoint.sh | 8 +- distribution/packages/build.gradle | 92 +- .../common/env/{opensearch => wazuh-indexer} | 24 +- .../packages/src/common/scripts/postinst | 52 +- .../packages/src/common/scripts/postrm | 30 +- .../packages/src/common/scripts/posttrans | 8 +- .../packages/src/common/scripts/preinst | 38 +- .../packages/src/common/scripts/prerm | 22 +- .../src/common/systemd/opensearch.conf | 1 - .../{opensearch.conf => wazuh-indexer.conf} | 0 .../src/common/systemd/systemd-entrypoint | 4 +- .../src/common/systemd/wazuh-indexer.conf | 1 + ...ensearch.service => wazuh-indexer.service} | 25 +- ...wazuh-indexer-performance-analyzer.service | 22 + distribution/packages/src/deb/Makefile | 19 + distribution/packages/src/deb/debian/control | 22 + .../packages/src/deb/debian/copyright | 38 + distribution/packages/src/deb/debian/postinst | 65 + distribution/packages/src/deb/debian/preinst | 35 + distribution/packages/src/deb/debian/prerm | 37 + distribution/packages/src/deb/debian/rules | 32 + .../packages/src/deb/debmake_install.sh | 93 + .../deb/init.d/{opensearch => wazuh-indexer} | 28 +- .../packages/src/deb/lintian/opensearch | 46 - .../packages/src/deb/lintian/wazuh-indexer | 46 + .../rpm/init.d/{opensearch => wazuh-indexer} | 22 +- .../packages/src/rpm/wazuh-indexer.cicd.spec | 755 ++++++ .../packages/src/rpm/wazuh-indexer.rpm.spec | 347 +++ distribution/src/bin/indexer-security-init.sh | 189 ++ distribution/src/config/jvm.prod.options | 93 + distribution/src/config/opensearch.prod.yml | 39 + .../src/config/security/internal_users.yml | 63 + distribution/src/config/security/roles.yml | 393 ++++ .../src/config/security/roles_mapping.yml | 87 + docker/README.md | 55 + docker/ci/ci.sh | 62 + docker/ci/ci.yml | 28 + docker/ci/images/.dockerignore | 68 + docker/ci/images/Dockerfile | 17 + docker/dev/dev.sh | 60 + docker/dev/dev.yml | 17 + docker/dev/images/.dockerignore | 68 + docker/dev/images/Dockerfile | 20 + docker/prod/Dockerfile | 78 + docker/prod/config/config.sh | 64 + docker/prod/config/config.yml | 5 + docker/prod/config/opensearch.yml | 26 + docker/prod/config/securityadmin.sh | 11 + docker/prod/entrypoint.sh | 98 + ecs/.gitignore | 3 + ecs/README.md | 139 ++ ecs/agent/event-generator/event_generator.py | 114 + ecs/agent/fields/custom/wazuh-agent.yml | 27 + ecs/agent/fields/mapping-settings.json | 4 + ecs/agent/fields/subset.yml | 22 + .../fields/template-settings-legacy.json | 23 + ecs/agent/fields/template-settings.json | 25 + ecs/alerts/fields/custom/agent.yml | 12 + ecs/alerts/fields/mapping-settings.json | 4 + ecs/alerts/fields/subset.yml | 596 +++++ .../fields/template-settings-legacy.json | 18 + ecs/alerts/fields/template-settings.json | 18 + .../event-generator/event_generator.py | 135 ++ ecs/command/fields/custom/agent.yml | 12 + ecs/command/fields/custom/command.yml | 79 + ecs/command/fields/mapping-settings.json | 4 + ecs/command/fields/subset.yml | 11 + .../fields/template-settings-legacy.json | 20 + ecs/command/fields/template-settings.json | 22 + ecs/generate.sh | 118 + ecs/states-fim/fields/custom/agent.yml | 12 + ecs/states-fim/fields/mapping-settings.json | 4 + ecs/states-fim/fields/subset.yml | 36 + .../fields/template-settings-legacy.json | 21 + ecs/states-fim/fields/template-settings.json | 23 + .../fields/custom/agent.yml | 12 + .../fields/mapping-settings.json | 4 + .../fields/subset.yml | 21 + .../fields/template-settings-legacy.json | 19 + .../fields/template-settings.json | 21 + .../fields/custom/agent.yml | 12 + .../fields/mapping-settings.json | 4 + .../fields/subset.yml | 42 + .../fields/template-settings-legacy.json | 18 + .../fields/template-settings.json | 20 + .../fields/custom/agent.yml | 12 + .../fields/mapping-settings.json | 4 + ecs/states-inventory-system/fields/subset.yml | 23 + .../fields/template-settings-legacy.json | 18 + .../fields/template-settings.json | 20 + .../event-generator/event_generator.py | 244 ++ .../fields/custom/agent.yml | 12 + .../fields/custom/vulnerability.yml | 29 + .../fields/custom/wazuh.yml | 21 + .../fields/mapping-settings.json | 4 + ecs/states-vulnerabilities/fields/subset.yml | 24 + .../fields/template-settings-legacy.json | 23 + .../fields/template-settings.json | 25 + integrations/.gitignore | 3 + integrations/README.md | 33 + .../amazon-security-lake/.dockerignore | 180 ++ integrations/amazon-security-lake/.gitignore | 179 ++ .../amazon-security-lake/CONTRIBUTING.md | 55 + integrations/amazon-security-lake/Dockerfile | 17 + integrations/amazon-security-lake/Makefile | 30 + integrations/amazon-security-lake/README.md | 281 +++ .../aws-lambda.dockerfile | 17 + .../images/asl-custom-source-form.jpeg | Bin 0 -> 59572 bytes .../images/asl-custom-source.jpeg | Bin 0 -> 30234 bytes .../images/asl-lambda-trigger.jpeg | Bin 0 -> 82300 bytes .../images/asl-overview.jpeg | Bin 0 -> 33327 bytes .../amazon-security-lake/invoke-lambda.sh | 42 + .../logstash/pipeline/indexer-to-file.conf | 34 + .../logstash/pipeline/indexer-to-s3.conf | 53 + .../amazon-security-lake/logstash/setup.sh | 10 + .../amazon-security-lake/requirements.aws.txt | 2 + .../amazon-security-lake/requirements.txt | 4 + .../src/lambda_function.py | 185 ++ .../src/models/__init__.py | 2 + .../amazon-security-lake/src/models/ocsf.py | 104 + .../amazon-security-lake/src/models/wazuh.py | 50 + .../src/wazuh_ocsf_converter.py | 185 ++ integrations/docker/.env | 44 + integrations/docker/amazon-security-lake.yml | 143 ++ .../docker/compose.amazon-security-lake.yml | 175 ++ .../docker/compose.indexer-elastic.yml | 259 +++ .../docker/compose.indexer-opensearch.yml | 194 ++ .../docker/compose.indexer-splunk.yml | 182 ++ integrations/docker/config/certs.yml | 20 + integrations/elastic/Dockerfile | 19 + integrations/elastic/README.md | 57 + integrations/elastic/dashboards.ndjson | 9 + .../logstash/pipeline/es_template.json | 2042 +++++++++++++++++ .../logstash/pipeline/indexer-to-elastic.conf | 35 + integrations/elastic/logstash/setup.sh | 10 + integrations/logstash/Dockerfile | 19 + integrations/logstash/setup.sh | 10 + integrations/opensearch/README.md | 57 + integrations/opensearch/dashboards.ndjson | 38 + .../pipeline/indexer-to-opensearch.conf | 38 + .../logstash/pipeline/os_template.json | 2039 ++++++++++++++++ integrations/opensearch/opensearch.yml | 39 + .../opensearch/opensearch_dashboards.yml | 21 + integrations/splunk/README.md | 57 + integrations/splunk/cfssl/ca.json | 15 + integrations/splunk/cfssl/cfssl.json | 58 + integrations/splunk/cfssl/host.json | 19 + integrations/splunk/config/default.yml | 25 + integrations/splunk/config/indexes.conf | 11 + .../logstash/pipeline/indexer-to-splunk.conf | 31 + integrations/splunk/logstash/setup.sh | 10 + integrations/splunk/wazuh-amazon-aws | 132 ++ integrations/splunk/wazuh-docker-listener | 130 ++ integrations/splunk/wazuh-incident-response | 131 ++ integrations/splunk/wazuh-malware-detection | 132 ++ integrations/splunk/wazuh-pci-dss | 132 ++ integrations/splunk/wazuh-security-events | 292 +++ integrations/splunk/wazuh-vulnerabilities | 257 +++ .../tools/events-generator/.dockerignore | 2 + .../tools/events-generator/.gitignore | 1 + .../tools/events-generator/Dockerfile | 4 + integrations/tools/events-generator/README.md | 52 + .../tools/events-generator/requirements.txt | 1 + integrations/tools/events-generator/run.py | 205 ++ .../events-generator/wazuh-alerts/alerts.json | 1124 +++++++++ release-notes/wazuh.release-notes-4.9.1.md | 19 + scripts/build.sh | 161 -- settings.gradle | 2 +- test-tools/README.md | 41 + test-tools/Vagrantfile | 54 + test-tools/config.yml | 7 + test-tools/pre-start.sh | 23 + test-tools/scripts/00_run.sh | 88 + .../01_download_and_install_package.sh | 173 ++ test-tools/scripts/02_apply_certificates.sh | 117 + .../scripts/03_manage_indexer_service.sh | 76 + test-tools/scripts/04_initialize_cluster.sh | 95 + .../scripts/05_validate_installed_plugins.sh | 95 + test-tools/scripts/06_validate_setup.sh | 153 ++ .../scripts/07_validate_command_manager.sh | 115 + test-tools/scripts/08_uninstall_indexer.sh | 75 + test-tools/scripts/README.md | 79 + 217 files changed, 18290 insertions(+), 501 deletions(-) create mode 100644 .github/ISSUE_TEMPLATE/compatibility_request.md create mode 100644 .github/ISSUE_TEMPLATE/compatibility_test.md create mode 100644 .github/ISSUE_TEMPLATE/feature_template.md create mode 100644 .github/ISSUE_TEMPLATE/operational--integrations_maintenance_request.md create mode 100644 .github/workflows/build.yml create mode 100644 .github/workflows/ci.yml create mode 100644 .github/workflows/codeql.yml delete mode 100644 .github/workflows/maintainer-approval.yml create mode 100644 .github/workflows/version_check.yml create mode 100644 VERSION create mode 100644 build-scripts/README.md create mode 100644 build-scripts/act.input.env create mode 100644 build-scripts/assemble.sh create mode 100644 build-scripts/baptizer.sh create mode 100644 build-scripts/build.sh create mode 100644 build-scripts/check-version.sh create mode 100644 build-scripts/provision.sh create mode 100644 build-scripts/upstream-version.sh rename distribution/packages/src/common/env/{opensearch => wazuh-indexer} (68%) delete mode 100644 distribution/packages/src/common/systemd/opensearch.conf rename distribution/packages/src/common/systemd/sysctl/{opensearch.conf => wazuh-indexer.conf} (100%) create mode 100644 distribution/packages/src/common/systemd/wazuh-indexer.conf rename distribution/packages/src/common/systemd/{opensearch.service => wazuh-indexer.service} (70%) create mode 100644 distribution/packages/src/common/wazuh-indexer-performance-analyzer.service create mode 100644 distribution/packages/src/deb/Makefile create mode 100644 distribution/packages/src/deb/debian/control create mode 100644 distribution/packages/src/deb/debian/copyright create mode 100644 distribution/packages/src/deb/debian/postinst create mode 100644 distribution/packages/src/deb/debian/preinst create mode 100644 distribution/packages/src/deb/debian/prerm create mode 100644 distribution/packages/src/deb/debian/rules create mode 100644 distribution/packages/src/deb/debmake_install.sh rename distribution/packages/src/deb/init.d/{opensearch => wazuh-indexer} (79%) delete mode 100644 distribution/packages/src/deb/lintian/opensearch create mode 100644 distribution/packages/src/deb/lintian/wazuh-indexer rename distribution/packages/src/rpm/init.d/{opensearch => wazuh-indexer} (81%) create mode 100644 distribution/packages/src/rpm/wazuh-indexer.cicd.spec create mode 100644 distribution/packages/src/rpm/wazuh-indexer.rpm.spec create mode 100644 distribution/src/bin/indexer-security-init.sh create mode 100644 distribution/src/config/jvm.prod.options create mode 100644 distribution/src/config/opensearch.prod.yml create mode 100644 distribution/src/config/security/internal_users.yml create mode 100644 distribution/src/config/security/roles.yml create mode 100644 distribution/src/config/security/roles_mapping.yml create mode 100644 docker/README.md create mode 100755 docker/ci/ci.sh create mode 100644 docker/ci/ci.yml create mode 100644 docker/ci/images/.dockerignore create mode 100644 docker/ci/images/Dockerfile create mode 100755 docker/dev/dev.sh create mode 100644 docker/dev/dev.yml create mode 100644 docker/dev/images/.dockerignore create mode 100644 docker/dev/images/Dockerfile create mode 100644 docker/prod/Dockerfile create mode 100644 docker/prod/config/config.sh create mode 100644 docker/prod/config/config.yml create mode 100644 docker/prod/config/opensearch.yml create mode 100644 docker/prod/config/securityadmin.sh create mode 100644 docker/prod/entrypoint.sh create mode 100644 ecs/.gitignore create mode 100644 ecs/README.md create mode 100644 ecs/agent/event-generator/event_generator.py create mode 100644 ecs/agent/fields/custom/wazuh-agent.yml create mode 100644 ecs/agent/fields/mapping-settings.json create mode 100644 ecs/agent/fields/subset.yml create mode 100644 ecs/agent/fields/template-settings-legacy.json create mode 100644 ecs/agent/fields/template-settings.json create mode 100644 ecs/alerts/fields/custom/agent.yml create mode 100644 ecs/alerts/fields/mapping-settings.json create mode 100644 ecs/alerts/fields/subset.yml create mode 100644 ecs/alerts/fields/template-settings-legacy.json create mode 100644 ecs/alerts/fields/template-settings.json create mode 100644 ecs/command/event-generator/event_generator.py create mode 100644 ecs/command/fields/custom/agent.yml create mode 100644 ecs/command/fields/custom/command.yml create mode 100644 ecs/command/fields/mapping-settings.json create mode 100644 ecs/command/fields/subset.yml create mode 100644 ecs/command/fields/template-settings-legacy.json create mode 100644 ecs/command/fields/template-settings.json create mode 100755 ecs/generate.sh create mode 100644 ecs/states-fim/fields/custom/agent.yml create mode 100644 ecs/states-fim/fields/mapping-settings.json create mode 100644 ecs/states-fim/fields/subset.yml create mode 100644 ecs/states-fim/fields/template-settings-legacy.json create mode 100644 ecs/states-fim/fields/template-settings.json create mode 100644 ecs/states-inventory-packages/fields/custom/agent.yml create mode 100644 ecs/states-inventory-packages/fields/mapping-settings.json create mode 100644 ecs/states-inventory-packages/fields/subset.yml create mode 100644 ecs/states-inventory-packages/fields/template-settings-legacy.json create mode 100644 ecs/states-inventory-packages/fields/template-settings.json create mode 100644 ecs/states-inventory-processes/fields/custom/agent.yml create mode 100644 ecs/states-inventory-processes/fields/mapping-settings.json create mode 100644 ecs/states-inventory-processes/fields/subset.yml create mode 100644 ecs/states-inventory-processes/fields/template-settings-legacy.json create mode 100644 ecs/states-inventory-processes/fields/template-settings.json create mode 100644 ecs/states-inventory-system/fields/custom/agent.yml create mode 100644 ecs/states-inventory-system/fields/mapping-settings.json create mode 100644 ecs/states-inventory-system/fields/subset.yml create mode 100644 ecs/states-inventory-system/fields/template-settings-legacy.json create mode 100644 ecs/states-inventory-system/fields/template-settings.json create mode 100644 ecs/states-vulnerabilities/event-generator/event_generator.py create mode 100644 ecs/states-vulnerabilities/fields/custom/agent.yml create mode 100644 ecs/states-vulnerabilities/fields/custom/vulnerability.yml create mode 100644 ecs/states-vulnerabilities/fields/custom/wazuh.yml create mode 100644 ecs/states-vulnerabilities/fields/mapping-settings.json create mode 100644 ecs/states-vulnerabilities/fields/subset.yml create mode 100644 ecs/states-vulnerabilities/fields/template-settings-legacy.json create mode 100644 ecs/states-vulnerabilities/fields/template-settings.json create mode 100644 integrations/.gitignore create mode 100644 integrations/README.md create mode 100644 integrations/amazon-security-lake/.dockerignore create mode 100644 integrations/amazon-security-lake/.gitignore create mode 100644 integrations/amazon-security-lake/CONTRIBUTING.md create mode 100644 integrations/amazon-security-lake/Dockerfile create mode 100644 integrations/amazon-security-lake/Makefile create mode 100644 integrations/amazon-security-lake/README.md create mode 100644 integrations/amazon-security-lake/aws-lambda.dockerfile create mode 100644 integrations/amazon-security-lake/images/asl-custom-source-form.jpeg create mode 100644 integrations/amazon-security-lake/images/asl-custom-source.jpeg create mode 100644 integrations/amazon-security-lake/images/asl-lambda-trigger.jpeg create mode 100644 integrations/amazon-security-lake/images/asl-overview.jpeg create mode 100644 integrations/amazon-security-lake/invoke-lambda.sh create mode 100644 integrations/amazon-security-lake/logstash/pipeline/indexer-to-file.conf create mode 100644 integrations/amazon-security-lake/logstash/pipeline/indexer-to-s3.conf create mode 100644 integrations/amazon-security-lake/logstash/setup.sh create mode 100644 integrations/amazon-security-lake/requirements.aws.txt create mode 100644 integrations/amazon-security-lake/requirements.txt create mode 100644 integrations/amazon-security-lake/src/lambda_function.py create mode 100644 integrations/amazon-security-lake/src/models/__init__.py create mode 100644 integrations/amazon-security-lake/src/models/ocsf.py create mode 100644 integrations/amazon-security-lake/src/models/wazuh.py create mode 100644 integrations/amazon-security-lake/src/wazuh_ocsf_converter.py create mode 100644 integrations/docker/.env create mode 100644 integrations/docker/amazon-security-lake.yml create mode 100644 integrations/docker/compose.amazon-security-lake.yml create mode 100644 integrations/docker/compose.indexer-elastic.yml create mode 100644 integrations/docker/compose.indexer-opensearch.yml create mode 100644 integrations/docker/compose.indexer-splunk.yml create mode 100644 integrations/docker/config/certs.yml create mode 100644 integrations/elastic/Dockerfile create mode 100644 integrations/elastic/README.md create mode 100644 integrations/elastic/dashboards.ndjson create mode 100644 integrations/elastic/logstash/pipeline/es_template.json create mode 100644 integrations/elastic/logstash/pipeline/indexer-to-elastic.conf create mode 100644 integrations/elastic/logstash/setup.sh create mode 100644 integrations/logstash/Dockerfile create mode 100644 integrations/logstash/setup.sh create mode 100644 integrations/opensearch/README.md create mode 100644 integrations/opensearch/dashboards.ndjson create mode 100644 integrations/opensearch/logstash/pipeline/indexer-to-opensearch.conf create mode 100644 integrations/opensearch/logstash/pipeline/os_template.json create mode 100644 integrations/opensearch/opensearch.yml create mode 100644 integrations/opensearch/opensearch_dashboards.yml create mode 100644 integrations/splunk/README.md create mode 100644 integrations/splunk/cfssl/ca.json create mode 100644 integrations/splunk/cfssl/cfssl.json create mode 100644 integrations/splunk/cfssl/host.json create mode 100644 integrations/splunk/config/default.yml create mode 100644 integrations/splunk/config/indexes.conf create mode 100644 integrations/splunk/logstash/pipeline/indexer-to-splunk.conf create mode 100644 integrations/splunk/logstash/setup.sh create mode 100644 integrations/splunk/wazuh-amazon-aws create mode 100644 integrations/splunk/wazuh-docker-listener create mode 100644 integrations/splunk/wazuh-incident-response create mode 100644 integrations/splunk/wazuh-malware-detection create mode 100644 integrations/splunk/wazuh-pci-dss create mode 100644 integrations/splunk/wazuh-security-events create mode 100644 integrations/splunk/wazuh-vulnerabilities create mode 100644 integrations/tools/events-generator/.dockerignore create mode 100644 integrations/tools/events-generator/.gitignore create mode 100644 integrations/tools/events-generator/Dockerfile create mode 100644 integrations/tools/events-generator/README.md create mode 100644 integrations/tools/events-generator/requirements.txt create mode 100644 integrations/tools/events-generator/run.py create mode 100644 integrations/tools/events-generator/wazuh-alerts/alerts.json create mode 100644 release-notes/wazuh.release-notes-4.9.1.md delete mode 100755 scripts/build.sh create mode 100644 test-tools/README.md create mode 100644 test-tools/Vagrantfile create mode 100644 test-tools/config.yml create mode 100644 test-tools/pre-start.sh create mode 100644 test-tools/scripts/00_run.sh create mode 100644 test-tools/scripts/01_download_and_install_package.sh create mode 100644 test-tools/scripts/02_apply_certificates.sh create mode 100644 test-tools/scripts/03_manage_indexer_service.sh create mode 100644 test-tools/scripts/04_initialize_cluster.sh create mode 100644 test-tools/scripts/05_validate_installed_plugins.sh create mode 100644 test-tools/scripts/06_validate_setup.sh create mode 100644 test-tools/scripts/07_validate_command_manager.sh create mode 100644 test-tools/scripts/08_uninstall_indexer.sh create mode 100644 test-tools/scripts/README.md diff --git a/.gitattributes b/.gitattributes index b74462afb27bd..9c3d663f1cf91 100644 --- a/.gitattributes +++ b/.gitattributes @@ -11,3 +11,12 @@ *.crt binary *.p12 binary *.txt text=auto + +# Image +*.ai filter=lfs diff=lfs merge=lfs -text +*.gif filter=lfs diff=lfs merge=lfs -text +*.jpg filter=lfs diff=lfs merge=lfs -text +*.jpeg filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.psd filter=lfs diff=lfs merge=lfs -text +*.tga filter=lfs diff=lfs merge=lfs -text \ No newline at end of file diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 18a310862dfbb..d4f049c6e2c09 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -10,28 +10,4 @@ # 2. Go to a file # 3. Use the command palette to run the CODEOWNERS: Show owners of current file command, which will display all code owners for the current file. -# Default ownership for all repo files -* @anasalkouz @andrross @ashking94 @Bukhtawar @CEHENKLE @dblock @dbwiddis @gbbafna @jainankitk @kotwanikunal @linuxpi @mch2 @msfroh @nknize @owaiskazi19 @reta @Rishikesh1159 @sachinpkale @saratvemulapalli @shwetathareja @sohami @VachaShah - -/modules/lang-painless/ @anasalkouz @andrross @ashking94 @Bukhtawar @CEHENKLE @dblock @dbwiddis @gbbafna @jed326 @kotwanikunal @mch2 @msfroh @nknize @owaiskazi19 @reta @Rishikesh1159 @sachinpkale @saratvemulapalli @shwetathareja @sohami @VachaShah -/modules/parent-join/ @anasalkouz @andrross @ashking94 @Bukhtawar @CEHENKLE @dblock @dbwiddis @gbbafna @jed326 @kotwanikunal @mch2 @msfroh @nknize @owaiskazi19 @reta @Rishikesh1159 @sachinpkale @saratvemulapalli @shwetathareja @sohami @VachaShah -/modules/transport-netty4/ @peternied - -/plugins/identity-shiro/ @peternied - -/server/src/internalClusterTest/java/org/opensearch/index/ @anasalkouz @andrross @ashking94 @Bukhtawar @CEHENKLE @dblock @dbwiddis @gbbafna @jed326 @kotwanikunal @mch2 @msfroh @nknize @owaiskazi19 @reta @Rishikesh1159 @sachinpkale @saratvemulapalli @shwetathareja @sohami @VachaShah -/server/src/internalClusterTest/java/org/opensearch/search/ @anasalkouz @andrross @ashking94 @Bukhtawar @CEHENKLE @dblock @dbwiddis @gbbafna @jed326 @kotwanikunal @mch2 @msfroh @nknize @owaiskazi19 @reta @Rishikesh1159 @sachinpkale @saratvemulapalli @shwetathareja @sohami @VachaShah - -/server/src/main/java/org/opensearch/extensions/ @peternied -/server/src/main/java/org/opensearch/identity/ @peternied -/server/src/main/java/org/opensearch/index/ @anasalkouz @andrross @ashking94 @Bukhtawar @CEHENKLE @dblock @dbwiddis @gbbafna @jed326 @kotwanikunal @mch2 @msfroh @nknize @owaiskazi19 @reta @Rishikesh1159 @sachinpkale @saratvemulapalli @shwetathareja @sohami @VachaShah -/server/src/main/java/org/opensearch/search/ @anasalkouz @andrross @ashking94 @Bukhtawar @CEHENKLE @dblock @dbwiddis @gbbafna @jed326 @kotwanikunal @mch2 @msfroh @nknize @owaiskazi19 @reta @Rishikesh1159 @sachinpkale @saratvemulapalli @shwetathareja @sohami @VachaShah -/server/src/main/java/org/opensearch/threadpool/ @jed326 @peternied -/server/src/main/java/org/opensearch/transport/ @peternied - -/server/src/test/java/org/opensearch/index/ @anasalkouz @andrross @ashking94 @Bukhtawar @CEHENKLE @dblock @dbwiddis @gbbafna @jed326 @kotwanikunal @mch2 @msfroh @nknize @owaiskazi19 @reta @Rishikesh1159 @sachinpkale @saratvemulapalli @shwetathareja @sohami @VachaShah -/server/src/test/java/org/opensearch/search/ @anasalkouz @andrross @ashking94 @Bukhtawar @CEHENKLE @dblock @dbwiddis @gbbafna @jed326 @kotwanikunal @mch2 @msfroh @nknize @owaiskazi19 @reta @Rishikesh1159 @sachinpkale @saratvemulapalli @shwetathareja @sohami @VachaShah - -/.github/ @jed326 @peternied - -/MAINTAINERS.md @anasalkouz @andrross @ashking94 @Bukhtawar @CEHENKLE @dblock @dbwiddis @gaobinlong @gbbafna @jed326 @kotwanikunal @mch2 @msfroh @nknize @owaiskazi19 @peternied @reta @Rishikesh1159 @sachinpkale @saratvemulapalli @shwetathareja @sohami @VachaShah +* @wazuh/devel-indexer diff --git a/.github/ISSUE_TEMPLATE/bug_template.md b/.github/ISSUE_TEMPLATE/bug_template.md index be3ae51b237ee..68b901cf8888e 100644 --- a/.github/ISSUE_TEMPLATE/bug_template.md +++ b/.github/ISSUE_TEMPLATE/bug_template.md @@ -2,7 +2,7 @@ name: 🐛 Bug report about: Create a report to help us improve title: "[BUG]" -labels: 'bug, untriaged' +labels: ["type/bug", "level/task"] assignees: '' --- diff --git a/.github/ISSUE_TEMPLATE/compatibility_request.md b/.github/ISSUE_TEMPLATE/compatibility_request.md new file mode 100644 index 0000000000000..0c596ff4a116b --- /dev/null +++ b/.github/ISSUE_TEMPLATE/compatibility_request.md @@ -0,0 +1,24 @@ +--- +name: Compatibility request +about: Suggest supporting a new version of OpenSearch +title: 'Compatibility with OpenSearch (version)' +labels: request/operational, level/task, type/research +assignees: '' + +--- + +## Description +We need to ensure the compatibility with the next version of OpenSearch vX.X. +This update is still being discussed, but we need to be aware of potential issues. + +For that, we need to: + +- [ ] Review opensearch's release notes. +- [ ] Identify improvements and potential impact. +- [ ] Identify changes on upstream files (listed on https://github.com/wazuh/wazuh-indexer/issues/94) +- [ ] Create new development branch. +- [ ] Develop a testing environment to verify our components would work under this new build. +- [ ] Indexer-Dashboard compatibility testing (open issue using the [template](https://github.com/wazuh/wazuh-indexer/issues/new/choose)). + +## Issues +- _List here the detected issues_ diff --git a/.github/ISSUE_TEMPLATE/compatibility_test.md b/.github/ISSUE_TEMPLATE/compatibility_test.md new file mode 100644 index 0000000000000..a14da499694b2 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/compatibility_test.md @@ -0,0 +1,27 @@ +--- +name: Indexer-Dashboard compatibility testing with OpenSearch +about: Issue to perform internal testing of Indexer-Dashboard packages under a new version of OpenSearch +title: 'Indexer-Dashboard testing under OpenSearch (version)' +labels: request/operational, level/task, type/test +assignees: '' + +--- + + +## Description + +We need to ensure our components work under the new version of OpenSearch. The goal of this issue is to test our packages, their lifecycle and the main correct communication of Indexer and Dashboard. + +For that, we need to: + +- [x] (Prerequisite) \ +- [x] (Prerequisite) \ +- [ ] Verify the packages installs +- [ ] Verify the package upgrades: \ ⇾ \ +- [ ] Indexer-Dashboard communication works + + +Tests must be performed following the official documentation under RHEL 9 and Ubuntu 22.04 operating systems, or newer versions if available and supported. + +## Issues +- _List here the detected issues_ diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md index 53b3614a34342..156e627041b39 100644 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -2,7 +2,7 @@ name: 🎆 Feature request about: Suggest an idea for this project title: '' -labels: 'enhancement, untriaged' +labels: ["type/enhancement", "level/task"] assignees: '' --- diff --git a/.github/ISSUE_TEMPLATE/feature_template.md b/.github/ISSUE_TEMPLATE/feature_template.md new file mode 100644 index 0000000000000..2237d7f3b2888 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_template.md @@ -0,0 +1,23 @@ +--- +name: "Feature template" +about: "[Internal] Used within Wazuh dev team to describe a new development of a produt's feature." +title: "" +labels: ["type/enhancement", "level/task"] +assignees: "" +--- + +## Description + +... + +## Functional requirements + +- ... + +## Implementation restrictions + +- ... + +## Plan + +- [ ] ... diff --git a/.github/ISSUE_TEMPLATE/operational--integrations_maintenance_request.md b/.github/ISSUE_TEMPLATE/operational--integrations_maintenance_request.md new file mode 100644 index 0000000000000..b30b55fe77e5d --- /dev/null +++ b/.github/ISSUE_TEMPLATE/operational--integrations_maintenance_request.md @@ -0,0 +1,30 @@ +--- +name: Integrations maintenance request +about: Used by the Indexer team to maintain third-party software integrations and track the results. +title: Integrations maintenance request +labels: level/task, request/operational, type/maintenance +assignees: "" +--- + +## Description + +The Wazuh Indexer team is responsible for the maintenance of the third-party integrations hosted in the wazuh/wazuh-indexer repository. We must ensure these integrations work under new releases of the third-party software (Splunk, Elastic, Logstash, …) and our own. + +For that, we need to: + +- [ ] Create a pull request that upgrades the components to the latest version. +- [ ] Update our testing environments to verify the integrations work under new versions. +- [ ] Test the integrations, checking that: + - The Docker Compose project starts without errors. + - The data arrives to the destination. + - All the dashboards can be imported successfully. + - All the dashboards are populated with data. +- [ ] Finally, upgrade the compatibility matrix in integrations/README.md with the new versions. + +> [!NOTE] +> * For Logstash, we use the logstash-oss image. +> * For Wazuh Indexer and Wazuh Dashboard, we use the opensearch and opensearch-dashboards images. These must match the opensearch version that we support (e.g: for Wazuh 4.9.0 it is OpenSearch 2.13.0). + +## Issues + +- _List here the detected issues_ diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 00dc16d3c36a3..5213d0f36f83b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,601 +4,721 @@ updates: package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /benchmarks/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /buildSrc/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /buildSrc/reaper/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /buildSrc/src/integTest/resources/org/opensearch/gradle/internal/fake_git/remote/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /buildSrc/src/integTest/resources/org/opensearch/gradle/internal/fake_git/remote/distribution/archives/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /buildSrc/src/integTest/resources/org/opensearch/gradle/internal/fake_git/remote/distribution/archives/darwin-tar/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /buildSrc/src/integTest/resources/org/opensearch/gradle/internal/fake_git/remote/distribution/archives/oss-darwin-tar/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /buildSrc/src/integTest/resources/org/opensearch/gradle/internal/fake_git/remote/distribution/bwc/bugfix/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /buildSrc/src/integTest/resources/org/opensearch/gradle/internal/fake_git/remote/distribution/bwc/minor/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /buildSrc/src/testKit/opensearch-build-resources/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /buildSrc/src/testKit/opensearch.build/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /buildSrc/src/testKit/reaper/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /buildSrc/src/testKit/symbolic-link-preserving-tar/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /buildSrc/src/testKit/testingConventions/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /buildSrc/src/testKit/thirdPartyAudit/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /buildSrc/src/testKit/thirdPartyAudit/sample_jars/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /client/benchmark/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /client/client-benchmark-noop-api-plugin/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /client/rest/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /client/rest-high-level/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /client/sniffer/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /client/test/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/archives/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/archives/darwin-tar/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/archives/integ-test-zip/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/archives/linux-arm64-tar/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/archives/linux-tar/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/archives/no-jdk-darwin-tar/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/archives/no-jdk-linux-tar/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/archives/no-jdk-windows-zip/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/archives/windows-zip/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/bwc/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/bwc/bugfix/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/bwc/maintenance/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/bwc/minor/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/bwc/staged/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/docker/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/docker/docker-arm64-export/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/docker/docker-build-context/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/docker/docker-export/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/packages/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/packages/arm64-deb/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/packages/arm64-rpm/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/packages/deb/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/packages/no-jdk-deb/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/packages/no-jdk-rpm/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/packages/rpm/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/tools/java-version-checker/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/tools/keystore-cli/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/tools/launchers/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/tools/plugin-cli/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /distribution/tools/upgrade-cli/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /doc-tools/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /doc-tools/missing-doclet/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /libs/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /libs/cli/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /libs/core/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /libs/dissect/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /libs/geo/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /libs/grok/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /libs/nio/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /libs/plugin-classloader/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /libs/secure-sm/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /libs/ssl-config/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /libs/x-content/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/aggs-matrix-stats/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/analysis-common/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/geo/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/ingest-common/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/ingest-geoip/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/ingest-user-agent/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/lang-expression/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/lang-mustache/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/lang-painless/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/lang-painless/spi/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/mapper-extras/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/opensearch-dashboards/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/parent-join/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/percolator/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/rank-eval/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/reindex/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/repository-url/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/systemd/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/transport-netty4/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /modules/crypto/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/analysis-icu/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/analysis-kuromoji/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/analysis-nori/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/analysis-phonetic/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/analysis-smartcn/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/analysis-stempel/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/analysis-ukrainian/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/discovery-azure-classic/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/discovery-ec2/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/discovery-ec2/qa/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/discovery-ec2/qa/amazon-ec2/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/discovery-gce/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/discovery-gce/qa/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/discovery-gce/qa/gce/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/examples/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/examples/custom-settings/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/examples/custom-significance-heuristic/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/examples/custom-suggester/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/examples/painless-whitelist/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/examples/rescore/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/examples/rest-handler/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/examples/script-expert-scoring/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/ingest-attachment/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/mapper-annotated-text/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/mapper-murmur3/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/mapper-size/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/repository-azure/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/repository-gcs/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/repository-hdfs/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/repository-s3/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/store-smb/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /plugins/transport-nio/ open-pull-requests-limit: 1 package-ecosystem: gradle @@ -609,274 +729,329 @@ updates: package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/ccs-unavailable-clusters/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/die-with-dignity/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/evil-tests/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/full-cluster-restart/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/logging-config/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/mixed-cluster/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/multi-cluster-search/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/no-bootstrap-tests/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/os/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/os/centos-6/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/os/centos-7/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/os/debian-8/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/os/debian-9/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/os/fedora-28/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/os/fedora-29/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/os/oel-6/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/os/oel-7/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/os/sles-12/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/os/ubuntu-1604/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/os/ubuntu-1804/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/os/windows-2012r2/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/os/windows-2016/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/remote-clusters/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/repository-multi-version/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/rolling-upgrade/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/smoke-test-http/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/smoke-test-ingest-disabled/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/smoke-test-ingest-with-all-dependencies/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/smoke-test-multinode/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/smoke-test-plugins/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/translog-policy/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/unconfigured-node-name/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/verify-version-constants/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /qa/wildfly/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /rest-api-spec/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /sandbox/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /sandbox/libs/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /sandbox/modules/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /sandbox/plugins/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /server/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /test/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /test/external-modules/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /test/external-modules/delayed-aggs/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /test/fixtures/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /test/fixtures/azure-fixture/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /test/fixtures/gcs-fixture/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /test/fixtures/hdfs-fixture/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /test/fixtures/krb5kdc-fixture/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /test/fixtures/minio-fixture/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /test/fixtures/old-elasticsearch/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /test/fixtures/s3-fixture/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /test/framework/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" - directory: /test/logger-usage/ open-pull-requests-limit: 1 package-ecosystem: gradle schedule: interval: weekly + day: "friday" version: 2 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000000000..d5ac8c335d163 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,327 @@ +run-name: Build ${{ inputs.distribution }} Wazuh Indexer on ${{ inputs.architecture }} | ${{ inputs.id }} +name: Build packages (on demand) + +# This workflow runs when any of the following occur: +# - Run manually +# - Invoked from another workflow +on: + workflow_dispatch: + inputs: + revision: + description: "Revision" + type: string + default: "0" + upload: + description: "Upload ?" + type: boolean + default: false + is_stage: + description: "Is stage ?" + type: boolean + default: false + distribution: + description: '[ "tar", "rpm", "deb" ]' + type: string + default: '[ "rpm", "deb" ]' + architecture: + description: '[ "x64", "arm64" ]' + type: string + default: '[ "x64", "arm64" ]' + checksum: + description: "Checksum ?" + type: boolean + default: false + id: + description: "ID used to identify the workflow uniquely." + type: string + required: false + wazuh_plugins_ref: + description: "Branch, commit or tag for the wazuh-indexer-plugins repository" + type: string + default: "master" + reporting_plugin_ref: + description: "Branch, commit or tag for the wazuh-indexer-reporting repository" + type: string + default: "master" + workflow_call: + inputs: + revision: + description: "Revision" + type: string + default: "0" + upload: + description: "Upload ?" + type: boolean + default: false + is_stage: + description: "Is stage ?" + type: boolean + default: false + distribution: + description: '[ "tar", "rpm", "deb" ]' + type: string + default: '[ "rpm", "deb" ]' + architecture: + description: '[ "x64", "arm64" ]' + type: string + default: '[ "x64", "arm64" ]' + checksum: + description: "Checksum ?" + type: boolean + default: false + id: + type: string + required: false + wazuh_plugins_ref: + description: "Branch, commit or tag for the wazuh-indexer-plugins repository" + type: string + default: "master" + reporting_plugin_ref: + description: "Branch, commit or tag for the wazuh-indexer-reporting repository" + type: string + default: "master" + secrets: + CI_INTERNAL_DEVELOPMENT_BUCKET_USER_ACCESS_KEY: + required: true + description: "AWS user access key" + CI_INTERNAL_DEVELOPMENT_BUCKET_USER_SECRET_KEY: + required: true + description: "AWS user secret key" + +# ========================== +# Bibliography +# ========================== +# +# * Reusable workflows: limitations +# | https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations +# * Using matrix in reusable workflows: +# | https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-a-matrix-strategy-with-a-reusable-workflow +# * Reading input from the called workflow +# | https://docs.github.com/en/enterprise-cloud@latest/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_callinputs +# * Ternary operator +# | https://docs.github.com/en/actions/learn-github-actions/expressions#example + +jobs: + matrix: + name: Set up matrix + runs-on: ubuntu-22.04 + outputs: + matrix: ${{ steps.setup.outputs.matrix }} + steps: + - id: setup + run: | + matrix=$(jq -cn \ + --argjson distribution '${{ inputs.distribution }}' \ + --argjson architecture '${{ inputs.architecture }}' \ + '{distribution: $distribution, architecture: $architecture}' + ) + echo "matrix=$matrix" >> $GITHUB_OUTPUT + + build-wazuh-plugins: + if: ${{ inputs.wazuh_plugins_ref != '' }} + strategy: + fail-fast: false + matrix: + plugins: ["setup", "command-manager"] + runs-on: ubuntu-latest + env: + plugin_name: wazuh-indexer-${{ matrix.plugins }} + outputs: + hash: ${{ steps.save-hash.outputs.hash }} + steps: + - uses: actions/checkout@v4 + with: + repository: wazuh/wazuh-indexer-plugins + ref: ${{ inputs.wazuh_plugins_ref }} + + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 21 + + - name: Setup Gradle + uses: gradle/actions/setup-gradle@v4 + + - name: Get version + id: version + run: echo "version=$(> "$GITHUB_OUTPUT" + + - name: Build with Gradle + working-directory: ./plugins/${{ matrix.plugins }} + run: ./gradlew build -Dversion=${{ steps.version.outputs.version }} -Drevision=${{ inputs.revision }} + + - run: ls -lR build/distributions + working-directory: ./plugins/${{ matrix.plugins }} + + - name: Save commit hash + id: save-hash + run: echo "hash=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" + + - name: Upload artifact + uses: actions/upload-artifact@v4 + with: + name: ${{ env.plugin_name }}-${{ steps.version.outputs.version }}.${{ inputs.revision }}.zip + path: "./plugins/${{ matrix.plugins }}/build/distributions/${{ env.plugin_name }}-${{ steps.version.outputs.version }}.${{ inputs.revision }}.zip" + if-no-files-found: error + + build-reporting-plugin: + if: ${{ inputs.reporting_plugin_ref != '' }} + runs-on: ubuntu-latest + outputs: + hash: ${{ steps.save-hash.outputs.hash }} + env: + plugin_name: wazuh-indexer-reports-scheduler + steps: + - uses: actions/checkout@v4 + with: + repository: wazuh/wazuh-indexer-reporting + ref: ${{ inputs.reporting_plugin_ref }} + + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 21 + + - name: Setup Gradle # Used for caching + uses: gradle/actions/setup-gradle@v4 + + - name: Get version + id: version + run: echo "version=$(> "$GITHUB_OUTPUT" + + - name: Build with Gradle + run: ./gradlew build -Dversion=${{ steps.version.outputs.version }} -Drevision=${{ inputs.revision }} + + - run: ls -lR build/distributions + + - name: Save commit hash + id: save-hash + run: echo "hash=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT" + + - name: Upload artifact + uses: actions/upload-artifact@v4 + with: + name: ${{ env.plugin_name }}-${{ steps.version.outputs.version }}.${{ inputs.revision }}.zip + path: build/distributions/${{ env.plugin_name }}-${{ steps.version.outputs.version }}.${{ inputs.revision }}.zip + if-no-files-found: error + + build: + needs: [matrix, build-wazuh-plugins, build-reporting-plugin] + runs-on: ${{ matrix.architecture == 'arm64' && 'wz-linux-arm64' || 'ubuntu-22.04' }} + strategy: + fail-fast: false + matrix: ${{ fromJson(needs.matrix.outputs.matrix) }} + steps: + - uses: actions/checkout@v4 + + # Download plugins + - name: Download plugins + uses: actions/download-artifact@v4 + if: ${{ inputs.wazuh_plugins_ref != '' || inputs.reporting_plugin_ref != ''}} + with: + path: ./artifacts/plugins + merge-multiple: true + + - name: Display structure of downloaded files + if: ${{ inputs.wazuh_plugins_ref != '' || inputs.reporting_plugin_ref != ''}} + run: ls -lR ./artifacts/plugins + + - uses: actions/setup-java@v4 + with: + distribution: temurin + java-version: 21 + + - name: Setup Gradle + uses: gradle/actions/setup-gradle@v4 + + - name: Provision + if: ${{ matrix.distribution == 'deb' }} + run: | + sudo bash build-scripts/provision.sh + + - name: Run `baptizer.sh` (min) + run: | + name=$(bash build-scripts/baptizer.sh -m \ + -a ${{ matrix.architecture }} \ + -d ${{ matrix.distribution }} \ + -r ${{ inputs.revision }} \ + -l ${{ needs.build-wazuh-plugins.outputs.hash }} \ + -e ${{ needs.build-reporting-plugin.outputs.hash }} \ + ${{ inputs.is_stage && '-x' || '' }} \ + ) + echo "name=$name" >> $GITHUB_OUTPUT + id: min_package + + - name: Run `baptizer.sh` + run: | + name=$(bash build-scripts/baptizer.sh \ + -a ${{ matrix.architecture }} \ + -d ${{ matrix.distribution }} \ + -r ${{ inputs.revision }} \ + -l ${{ needs.build-wazuh-plugins.outputs.hash }} \ + -e ${{ needs.build-reporting-plugin.outputs.hash }} \ + ${{ inputs.is_stage && '-x' || '' }} \ + ) + echo "name=$name" >> $GITHUB_OUTPUT + id: package + + - name: Run `build.sh` + run: | + bash build-scripts/build.sh \ + -a ${{ matrix.architecture }} \ + -d ${{ matrix.distribution }} \ + -n ${{ steps.min_package.outputs.name }} + + - name: Run `assemble.sh` + run: | + bash build-scripts/assemble.sh \ + -a ${{ matrix.architecture }} \ + -d ${{ matrix.distribution }} \ + -r ${{ inputs.revision }} + + - name: Test RPM package + if: ${{ matrix.distribution == 'rpm' }} + uses: addnab/docker-run-action@v3 + with: + image: redhat/ubi9:latest + options: -v ${{ github.workspace }}/artifacts/dist:/artifacts/dist + run: | + yum localinstall "/artifacts/dist/${{ steps.package.outputs.name }}" -y + + - name: Test DEB package + if: ${{ matrix.distribution == 'deb' }} + run: | + sudo dpkg -i "artifacts/dist/${{ steps.package.outputs.name }}" + + - name: Upload artifact + uses: actions/upload-artifact@v4 + with: + name: ${{ steps.package.outputs.name }} + path: artifacts/dist/${{ steps.package.outputs.name }} + if-no-files-found: error + + - name: Set up AWS CLI + if: ${{ inputs.upload }} + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.CI_INTERNAL_DEVELOPMENT_BUCKET_USER_ACCESS_KEY }} + aws-secret-access-key: ${{ secrets.CI_INTERNAL_DEVELOPMENT_BUCKET_USER_SECRET_KEY }} + aws-region: ${{ secrets.CI_AWS_REGION }} + + - name: Upload package to S3 + if: ${{ inputs.upload }} + run: | + src="artifacts/dist/${{ steps.package.outputs.name }}" + dest="s3://packages-dev.internal.wazuh.com/development/wazuh/5.x/main/packages/" + aws s3 cp "$src" "$dest" + s3uri="${dest}${{ steps.package.outputs.name }}" + echo "::notice::S3 URI: ${s3uri}" + + - name: Upload checksum to S3 + if: ${{ inputs.upload && inputs.checksum }} + run: | + src="artifacts/dist/${{ steps.package.outputs.name }}.sha512" + dest="s3://packages-dev.internal.wazuh.com/development/wazuh/5.x/main/packages/" + aws s3 cp "$src" "$dest" + s3uri="${dest}${{ steps.package.outputs.name }}.sha512" + echo "::notice::S3 sha512 URI: ${s3uri}" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000000000..f64712e90bd53 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,21 @@ +name: CI + +# This workflow runs when any of the following occur: +# - On push to branches named after ci/* +on: + pull_request: + # Sequence of patterns matched against refs/heads + branches: + - "migrate-*" + - "ci/*" + +jobs: + call-test-workflow: + # uses: ./.github/workflows/test.yml + runs-on: ubuntu-22.04 + steps: + - run: | + ./gradlew assemble --parallel --no-build-cache -PDISABLE_BUILD_CACHE + call-build-workflow: + uses: ./.github/workflows/build.yml + secrets: inherit diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000000..151be09ec95e6 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,78 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + schedule: + - cron: '00 8 * * 5' + workflow_dispatch: + +jobs: + analyze: + name: Analyze + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners + # Consider using larger runners for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'java' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] + # Use only 'java' to analyze code written in Java, Kotlin or both + # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # ℹ️ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/maintainer-approval.yml b/.github/workflows/maintainer-approval.yml deleted file mode 100644 index 34e8f57cc1878..0000000000000 --- a/.github/workflows/maintainer-approval.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: Maintainers approval - -on: - pull_request_review: - -jobs: - maintainer-approved-check: - name: Minimum approval count - runs-on: ubuntu-latest - steps: - - id: find-maintainers - uses: actions/github-script@v7 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - result-encoding: string - script: | - // Get the collaborators - filtered to maintainer permissions - const maintainersResponse = await github.request('GET /repos/{owner}/{repo}/collaborators', { - owner: context.repo.owner, - repo: context.repo.repo, - permission: 'maintain', - affiliation: 'all', - per_page: 100 - }); - - return maintainersResponse.data.map(item => item.login).join(', '); - - - uses: peternied/required-approval@v1.3 - with: - token: ${{ secrets.GITHUB_TOKEN }} - min-required: 1 - required-approvers-list: ${{ steps.find-maintainers.outputs.result }} diff --git a/.github/workflows/version_check.yml b/.github/workflows/version_check.yml new file mode 100644 index 0000000000000..060b2be3332dc --- /dev/null +++ b/.github/workflows/version_check.yml @@ -0,0 +1,15 @@ +name: Version check + +on: + push: + paths: + - "VERSION" + +jobs: + check-version: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Check version + run: bash build-scripts/check-version.sh diff --git a/.gitignore b/.gitignore index 82914fb4fc1e7..376d0efeed3a3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,14 @@ +# build files +artifacts/ +*.deb +*.rpm +*.zip +*.tar.gz + +integrations/amazon-security-lake/package + +.java +.m2 # intellij files .idea/ @@ -63,4 +74,4 @@ testfixtures_shared/ .ci/jobs/ # build files generated -doc-tools/missing-doclet/bin/ \ No newline at end of file +doc-tools/missing-doclet/bin/ diff --git a/CHANGELOG.md b/CHANGELOG.md index a17f8a82006ab..24eb4fa39a38c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,7 @@ All notable changes to this project are documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). See the [CONTRIBUTING guide](./CONTRIBUTING.md#Changelog) for instructions on how to add changelog entries. -## [Unreleased 2.17.x] +## [Unreleased 5.0.x] ### Added - Add path prefix support to hashed prefix snapshots ([#15664](https://github.com/opensearch-project/OpenSearch/pull/15664)) - Memory optimisations in _cluster/health API ([#15492](https://github.com/opensearch-project/OpenSearch/pull/15492)) @@ -11,6 +11,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ### Dependencies ### Changed +- Upgrade third-party integrations to the latest versions ([#447](https://github.com/wazuh/wazuh-indexer/pull/447)) ### Deprecated @@ -21,4 +22,4 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ### Security -[Unreleased 2.17.x]: https://github.com/opensearch-project/OpenSearch/compare/01c5e5642b7450bba2f3a21acdf8cf13539f65eb...2.17 +[Unreleased 5.0.x]: https://github.com/wazuh/wazuh-indexer/compare/4.10.2...master diff --git a/README.md b/README.md index 802817ec9cff3..3fbf64979dbc6 100644 --- a/README.md +++ b/README.md @@ -1,12 +1,16 @@ - +

+ +

-[![Chat](https://img.shields.io/badge/chat-on%20forums-blue)](https://forum.opensearch.org/c/opensearch/) -[![Documentation](https://img.shields.io/badge/documentation-reference-blue)](https://opensearch.org/docs/latest/opensearch/index/) +[![Chat](https://img.shields.io/badge/chat-on%20forums-blue)](https://groups.google.com/forum/#!forum/wazuh) +[![Slack](https://img.shields.io/badge/slack-join-blue.svg)](https://wazuh.com/community/join-us-on-slack) +[![Documentation](https://img.shields.io/badge/documentation-reference-blue)](https://documentation.wazuh.com) [![codecov](https://codecov.io/gh/opensearch-project/OpenSearch/branch/2.x/graph/badge.svg)](https://codecov.io/gh/opensearch-project/OpenSearch) [![GHA gradle check](https://github.com/opensearch-project/OpenSearch/actions/workflows/gradle-check.yml/badge.svg)](https://github.com/opensearch-project/OpenSearch/actions/workflows/gradle-check.yml) [![GHA validate pull request](https://github.com/opensearch-project/OpenSearch/actions/workflows/wrapper.yml/badge.svg)](https://github.com/opensearch-project/OpenSearch/actions/workflows/wrapper.yml) [![GHA precommit](https://github.com/opensearch-project/OpenSearch/actions/workflows/precommit.yml/badge.svg)](https://github.com/opensearch-project/OpenSearch/actions/workflows/precommit.yml) [![Jenkins gradle check job](https://img.shields.io/jenkins/build?jobUrl=https%3A%2F%2Fbuild.ci.opensearch.org%2Fjob%2Fgradle-check%2F&label=Jenkins%20Gradle%20Check)](https://build.ci.opensearch.org/job/gradle-check/) +[![Build packages](https://github.com/wazuh/wazuh-indexer/actions/workflows/build.yml/badge.svg)](https://github.com/wazuh/wazuh-indexer/actions/workflows/build.yml) - [Welcome!](#welcome) @@ -19,16 +23,17 @@ ## Welcome! -**OpenSearch** is [a community-driven, open source fork](https://aws.amazon.com/blogs/opensource/introducing-opensearch/) of [Elasticsearch](https://en.wikipedia.org/wiki/Elasticsearch) and [Kibana](https://en.wikipedia.org/wiki/Kibana) following the [license change](https://blog.opensource.org/the-sspl-is-not-an-open-source-license/) in early 2021. We're looking to sustain (and evolve!) a search and analytics suite for the multitude of businesses who are dependent on the rights granted by the original, [Apache v2.0 License](LICENSE.txt). +The Wazuh indexer is a highly scalable, full-text search and analytics engine. This Wazuh central component indexes and stores alerts generated by the Wazuh server and provides near real-time data search and analytics capabilities. + +Wazuh indexer is a open source fork of [OpenSearch](https://github.com/opensearch-project/opensearch). ## Project Resources -* [Project Website](https://opensearch.org/) -* [Downloads](https://opensearch.org/downloads.html) -* [Documentation](https://opensearch.org/docs/) -* Need help? Try [Forums](https://discuss.opendistrocommunity.dev/) -* [Project Principles](https://opensearch.org/#principles) -* [Contributing to OpenSearch](CONTRIBUTING.md) +* [Project Website](https://wazuh.com) +* [Quickstart](https://documentation.wazuh.com/current/quickstart.html) +* [Documentation](https://documentation.wazuh.com) +* Need help? Try [Slack](https://wazuh.com/community/join-us-on-slack) +* [Contributing to Wazuh indexer](CONTRIBUTING.md) * [Maintainer Responsibilities](MAINTAINERS.md) * [Release Management](RELEASING.md) * [Admin Responsibilities](ADMINS.md) @@ -40,7 +45,15 @@ This project has adopted the [Amazon Open Source Code of Conduct](CODE_OF_CONDUCT.md). For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq), or contact [opensource-codeofconduct@amazon.com](mailto:opensource-codeofconduct@amazon.com) with any additional questions or comments. ## Security -If you discover a potential security issue in this project we ask that you notify OpenSearch Security directly via email to security@opensearch.org. Please do **not** create a public GitHub issue. + +To report a possible vulnerability or security issue you can: +- Send us an email to security@wazuh.com. +- Open a new security report under the security tab on this repository. + +**PLEASE DO NOT OPEN A PUBLIC ISSUE ABOUT SECURITY** + +We want to protect our community, so please give us time to fix a vulnerability +before publishing it. ## License @@ -48,10 +61,13 @@ This project is licensed under the [Apache v2.0 License](LICENSE.txt). ## Copyright -Copyright OpenSearch Contributors. See [NOTICE](NOTICE.txt) for details. +- Copyright OpenSearch Contributors. See [NOTICE](NOTICE.txt) for details. +- Copyright Wazuh, Inc. ## Trademark OpenSearch is a registered trademark of Amazon Web Services. OpenSearch includes certain Apache-licensed Elasticsearch code from Elasticsearch B.V. and other source code. Elasticsearch B.V. is not the source of that other source code. ELASTICSEARCH is a registered trademark of Elasticsearch B.V. + +Check Wazuh's [trademark and Brand policy](https://wazuh.com/trademark-and-brand-policy/). diff --git a/SECURITY.md b/SECURITY.md index be4ac7463864a..d9c2f31bf3ec0 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,3 +1,45 @@ -## Reporting a Vulnerability +# Wazuh Open Source Project Security Policy -If you discover a potential security issue in this project we ask that you notify OpenSearch Security directly via email to security@opensearch.org. Please do **not** create a public GitHub issue. +Version: 2023-06-12 + +## Introduction +This document outlines the Security Policy for Wazuh's open source projects. It emphasizes our commitment to maintain a secure environment for our users and contributors, and reflects our belief in the power of collaboration to identify and resolve security vulnerabilities. + +## Scope +This policy applies to all open source projects developed, maintained, or hosted by Wazuh. + +## Reporting Security Vulnerabilities +If you believe you've discovered a potential security vulnerability in one of our open source projects, we strongly encourage you to report it to us responsibly. + +Please submit your findings as security advisories under the "Security" tab in the relevant GitHub repository. Alternatively, you may send the details of your findings to [security@wazuh.com](mailto:security@wazuh.com). + +## Vulnerability Disclosure Policy +Upon receiving a report of a potential vulnerability, our team will initiate an investigation. If the reported issue is confirmed as a vulnerability, we will take the following steps: + +1. Acknowledgment: We will acknowledge the receipt of your vulnerability report and begin our investigation. +2. Validation: We will validate the issue and work on reproducing it in our environment. +3. Remediation: We will work on a fix and thoroughly test it. +4. Release & Disclosure: After 90 days from the discovery of the vulnerability, or as soon as a fix is ready and thoroughly tested (whichever comes first), we will release a security update for the affected project. We will also publicly disclose the vulnerability by publishing a CVE (Common Vulnerabilities and Exposures) and acknowledging the discovering party. +5. Exceptions: In order to preserve the security of the Wazuh community at large, we might extend the disclosure period to allow users to patch their deployments. + +This 90-day period allows for end-users to update their systems and minimizes the risk of widespread exploitation of the vulnerability. + +## Automatic Scanning +We leverage GitHub Actions to perform automated scans of our supply chain. These scans assist us in identifying vulnerabilities and outdated dependencies in a proactive and timely manner. + +## Credit +We believe in giving credit where credit is due. If you report a security vulnerability to us, and we determine that it is a valid vulnerability, we will publicly credit you for the discovery when we disclose the vulnerability. If you wish to remain anonymous, please indicate so in your initial report. + +We do appreciate and encourage feedback from our community, but currently we do not have a bounty program. We might start bounty programs in the future. + +## Compliance with this Policy +We consider the discovery and reporting of security vulnerabilities an important public service. We encourage responsible reporting of any vulnerabilities that may be found in our site or applications. + +Furthermore, we will not take legal action against or suspend or terminate access to the site or services of those who discover and report security vulnerabilities in accordance with this policy because of the fact. + +We ask that all users and contributors respect this policy and the security of our community's users by disclosing vulnerabilities to us in accordance with this policy. + +## Changes to this Security Policy +This policy may be revised from time to time. Each version of the policy will be identified at the top of the page by its effective date. + +If you have any questions about this Security Policy, please contact us at [security@wazuh.com](mailto:security@wazuh.com) diff --git a/VERSION b/VERSION new file mode 100644 index 0000000000000..28cbf7c0aae3b --- /dev/null +++ b/VERSION @@ -0,0 +1 @@ +5.0.0 \ No newline at end of file diff --git a/build-scripts/README.md b/build-scripts/README.md new file mode 100644 index 0000000000000..e1279aadaecb1 --- /dev/null +++ b/build-scripts/README.md @@ -0,0 +1,273 @@ +# How to Build `wazuh-indexer` DEB and RPM Packages + +> [!CAUTION] +> +> Be aware that there might be some problems while following the steps in this guide due to outdated information. +> This document is pending a review. Let us know if you find any issues. + +The packages' generation process consists on 2 steps: + +- **Build**: compiles the Java application and bundles it into a package. +- **Assembly**: uses the package from the previous step and inflates it with plugins and + configuration files, ready for production deployment. + +We usually generate the packages using GitHub Actions, however, the process is designed to +be independent enough for maximum portability. GitHub Actions provides infrastructure, while +the building process is self-contained in the application code. + +Each section includes instructions to generate packages locally, using Act or Docker. + +- [Install Act](https://github.com/nektos/act) + +The names of the packages are managed by the `baptizer.sh` script. + +## Building the plugins + +Follow the [DEVELOPER_GUIDE.md](https://github.com/wazuh/wazuh-indexer-plugins/blob/master/DEVELOPER_GUIDE.md) instructions to build the plugins. The build scripts expect the plugins in the Maven local repository or under the `artifacts/plugins` folder. + +1. Build the plugins. +2. Publish the plugins to the local Maven repository: run `./gradlew publishToMavenLocal`. + - Alternatively, copy the generated zip files to the `artifacts/plugins` folder. +3. Build and Assemble the `wazuh-indexer` package. + +## Build and Assemble in Act + +Use Act to run the `build.yml` workflow locally. The `act.input.env` file contains the inputs +for the workflow. As the workflow clones the `wazuh-indexer-plugins` repository, the `GITHUB_TOKEN` +is required. You can use the `gh` CLI to authenticate, as seen in the example below. + +```console +act -j build -W .github/workflows/build.yml --artifact-server-path ./artifacts --input-file build-scripts/act.input.env -s GITHUB_TOKEN="$(gh auth token)" +``` + +## Build + +For local package generation, use the `build.sh` script. Take a look at the `build.yml` +workflow file for an example of usage. + +```bash +bash build-scripts/build.sh -a x64 -d tar -n $(bash build-scripts/baptizer.sh -a x64 -d tar -m) +``` + +#### Act (GitHub Workflow locally) + +```console +act -j build -W .github/workflows/build.yml --artifact-server-path ./artifacts + +[Build slim packages/build] 🏁 Job succeeded +``` + +#### Running in Docker + +Using the [Docker environment](../docker): + +```console +docker exec -it wi-build_$( By default, `ar` and `tar` tools expect the package to be in `wazuh-indexer/artifacts/tmp/deb`. + > The script takes care of creating the required folder structure, copying also the min package + > and the Makefile. + + Current folder loadout at this stage: + + ``` + artifacts/ + |-- dist + | |-- wazuh-indexer-min_5.0.0_amd64.deb + `-- tmp + `-- deb + |-- Makefile + |-- data.tar.gz + |-- debmake_install.sh + |-- etc + |-- usr + |-- var + `-- wazuh-indexer-min_5.0.0_amd64.deb + ``` + + `usr`, `etc` and `var` folders contain `wazuh-indexer` files, extracted from `wazuh-indexer-min-*.deb`. + `Makefile` and the `debmake_install` are copied over from `wazuh-indexer/distribution/packages/src/deb`. + The `wazuh-indexer-performance-analyzer.service` file is also copied from the same folder. It is a dependency of the SPEC file. + +2. Install the plugins using the `opensearch-plugin` CLI tool. +3. Set up configuration files. + + > Included in `min-package`. Default files are overwritten. + +4. Bundle a DEB file with `debmake` and the `Makefile`. + + > `debmake` and other dependencies can be installed using the `provision.sh` script. + > The script is invoked by the GitHub Workflow. + + Current folder loadout at this stage: + + ``` + artifacts/ + |-- artifact_name.txt + |-- dist + | |-- wazuh-indexer-min_5.0.0_amd64.deb + | `-- wazuh-indexer_5.0.0_amd64.deb + `-- tmp + `-- deb + |-- Makefile + |-- data.tar.gz + |-- debmake_install.sh + |-- etc + |-- usr + |-- var + |-- wazuh-indexer-min_5.0.0_amd64.deb + `-- debian/ + | -- control + | -- copyright + | -- rules + | -- preinst + | -- prerm + | -- postinst + ``` + +#### Running in Docker + +Pre-requisites: + +- Current directory: `wazuh-indexer/` +- Existing deb package in `wazuh-indexer/artifacts/dist/deb`, as a result of the _Build_ stage. +- Using the [Docker environment](../docker): + +```console +docker exec -it wi-assemble_$( By default, `rpm2cpio` and `cpio` tools expect the package to be in `wazuh-indexer/artifacts/tmp/rpm`. The script takes care of creating the required folder structure, copying also the min package and the SPEC file. + + Current folder loadout at this stage: + + ``` + /rpm/$ARCH + /etc + /usr + /var + wazuh-indexer-min-*.rpm + wazuh-indexer.rpm.spec + ``` + + `usr`, `etc` and `var` folders contain `wazuh-indexer` files, extracted from `wazuh-indexer-min-*.rpm`. + `wazuh-indexer.rpm.spec` is copied over from `wazuh-indexer/distribution/packages/src/rpm/wazuh-indexer.rpm.spec`. + The `wazuh-indexer-performance-analyzer.service` file is also copied from the same folder. It is a dependency of the SPEC file. + +2. Install the plugins using the `opensearch-plugin` CLI tool. +3. Set up configuration files. + + > Included in `min-package`. Default files are overwritten. + +4. Bundle an RPM file with `rpmbuild` and the SPEC file `wazuh-indexer.rpm.spec`. + + > `rpmbuild` is part of the `rpm` OS package. + + > `rpmbuild` is invoked from `wazuh-indexer/artifacts/tmp/rpm`. It creates the {BUILD,RPMS,SOURCES,SRPMS,SPECS,TMP} folders and applies the rules in the SPEC file. If successful, `rpmbuild` will generate the package in the `RPMS/` folder. The script will copy it to `wazuh-indexer/artifacts/dist` and clean: remove the `tmp\` folder and its contents. + + Current folder loadout at this stage: + + ``` + /rpm/$ARCH + /{BUILD,RPMS,SOURCES,SRPMS,SPECS,TMP} + /etc + /usr + /var + wazuh-indexer-min-*.rpm + wazuh-indexer.rpm.spec + ``` + +#### Running in Docker + +Pre-requisites: + +- Current directory: `wazuh-indexer/` +- Existing rpm package in `wazuh-indexer/artifacts/dist/rpm`, as a result of the _Build_ stage. +- Using the [Docker environment](../docker): + +```console +docker exec -it wi-assemble_$(>"${1}/opensearch-performance-analyzer/opensearch_security.policy" +} + +# ==== +# Move performance-analyzer-rca to its final location +# ==== +function enable_performance_analyzer_rca() { + local rca_src="${1}/plugins/opensearch-performance-analyzer/performance-analyzer-rca" + local rca_dest="${1}" + mv "${rca_src}" "${rca_dest}" +} + +# ==== +# Install plugins +# ==== +function install_plugins() { + echo "Installing OpenSearch plugins" + local maven_repo_local="$HOME/.m2" + for plugin in "${plugins[@]}"; do + local plugin_from_maven="org.opensearch.plugin:${plugin}:${VERSION}.0" + mvn -Dmaven.repo.local="${maven_repo_local}" org.apache.maven.plugins:maven-dependency-plugin:2.1:get -DrepoUrl=https://repo1.maven.org/maven2 -Dartifact="${plugin_from_maven}:zip" + OPENSEARCH_PATH_CONF=$PATH_CONF "${PATH_BIN}/opensearch-plugin" install --batch --verbose "file:${maven_repo_local}/org/opensearch/plugin/${plugin}/${VERSION}.0/${plugin}-${VERSION}.0.zip" + done + + echo "Installing Wazuh plugins" + local indexer_plugin_version="${1}.${REVISION}" + for plugin_name in "${wazuh_plugins[@]}"; do + # Check if the plugin is in the local maven repository. This is usually + # case for local executions. + local plugin_path="${maven_repo_local}/repository/org/wazuh/${plugin_name}-plugin/${indexer_plugin_version}/${plugin_name}-${indexer_plugin_version}.zip" + + # Otherwise, search for the plugins in the output folder. + if [ -z "${plugin_from_maven_local}" ]; then + echo "Plugin ${plugin_name} not found in local maven repository. Searching on ./${OUTPUT}/plugins" + # Working directory at this point is: wazuh-indexer/artifacts/tmp/{rpm|deb|tar} + plugin_path="$(pwd)/../../plugins/${plugin_name}-${indexer_plugin_version}.zip" + fi + + OPENSEARCH_PATH_CONF=$PATH_CONF "${PATH_BIN}/opensearch-plugin" install --batch --verbose "file:${plugin_path}" + done +} + +# ==== +# Clean +# ==== +function clean() { + echo "Cleaning temporary ${TMP_DIR} folder" + rm -r "${OUTPUT}/tmp" + echo "After execution, shell path is $(pwd)" +} + +# ==== +# Tar assemble +# ==== +function assemble_tar() { + cd "${TMP_DIR}" + + # Extract + echo "Extract ${ARTIFACT_BUILD_NAME} archive" + tar -zvxf "${ARTIFACT_BUILD_NAME}" + local decompressed_tar_dir + decompressed_tar_dir=$(ls -d wazuh-indexer-*/) + + local version + version=$(cat "${decompressed_tar_dir}"/VERSION) + + PATH_CONF="${decompressed_tar_dir}/config" + PATH_BIN="${decompressed_tar_dir}/bin" + PATH_PLUGINS="${decompressed_tar_dir}/plugins" + + # Install plugins + install_plugins "${version}" + fix_log_rotation "${PATH_CONF}" + # Swap configuration files + add_configuration_files + remove_unneeded_files + add_wazuh_tools "${version}" + + # Pack + archive_name="wazuh-indexer-${version}" + tar -cvf "${archive_name}-${SUFFIX}.${EXT}" "${archive_name}" + cd ../../.. + cp "${TMP_DIR}/${archive_name}-${SUFFIX}.${EXT}" "${OUTPUT}/dist/$ARTIFACT_PACKAGE_NAME" + + clean +} + +# ==== +# RPM assemble +# ==== +function assemble_rpm() { + # Copy spec + cp "distribution/packages/src/rpm/wazuh-indexer.rpm.spec" "${TMP_DIR}" + # Copy performance analyzer service file + enable_performance_analyzer + + cd "${TMP_DIR}" + local src_path="./usr/share/wazuh-indexer" + PATH_CONF="./etc/wazuh-indexer" + PATH_BIN="${src_path}/bin" + PATH_PLUGINS="${src_path}/plugins" + + # Extract min-package. Creates usr/, etc/ and var/ in the current directory + echo "Extract ${ARTIFACT_BUILD_NAME} archive" + rpm2cpio "${ARTIFACT_BUILD_NAME}" | cpio -imdv + + local version + version=$(cat ./usr/share/wazuh-indexer/VERSION) + + # Install plugins + install_plugins "${version}" + fix_log_rotation ${PATH_CONF} + enable_performance_analyzer_rca ${src_path} + # Swap configuration files + add_configuration_files + remove_unneeded_files + add_wazuh_tools "${version}" + + # Generate final package + local topdir + local spec_file="wazuh-indexer.rpm.spec" + topdir=$(pwd) + rpmbuild --bb \ + --define "_topdir ${topdir}" \ + --define "_version ${version}" \ + --define "_architecture ${SUFFIX}" \ + --define "_release ${REVISION}" \ + ${spec_file} + + # Move to the root folder, copy the package and clean. + cd ../../.. + package_name="wazuh-indexer-${version}-${REVISION}.${SUFFIX}.${EXT}" + cp "${TMP_DIR}/RPMS/${SUFFIX}/${package_name}" "${OUTPUT}/dist/$ARTIFACT_PACKAGE_NAME" + + clean +} + +# ==== +# DEB assemble +# ==== +function assemble_deb() { + # Copy spec + cp "distribution/packages/src/deb/Makefile" "${TMP_DIR}" + cp "distribution/packages/src/deb/debmake_install.sh" "${TMP_DIR}" + cp -r "distribution/packages/src/deb/debian" "${TMP_DIR}" + chmod a+x "${TMP_DIR}/debmake_install.sh" + # Copy performance analyzer service file + enable_performance_analyzer + + cd "${TMP_DIR}" + local src_path="./usr/share/wazuh-indexer" + PATH_CONF="./etc/wazuh-indexer" + PATH_BIN="${src_path}/bin" + PATH_PLUGINS="${src_path}/plugins" + + # Extract min-package. Creates usr/, etc/ and var/ in the current directory + echo "Extract ${ARTIFACT_BUILD_NAME} archive" + ar xf "${ARTIFACT_BUILD_NAME}" data.tar.gz + tar zvxf data.tar.gz + + local version + version=$(cat ./usr/share/wazuh-indexer/VERSION) + + # Install plugins + install_plugins "${version}" + fix_log_rotation ${PATH_CONF} + enable_performance_analyzer_rca ${src_path} + # Swap configuration files + add_configuration_files + remove_unneeded_files + add_wazuh_tools "${version}" + + # Configure debmake to only generate binaries + echo 'DEBUILD_DPKG_BUILDPACKAGE_OPTS="-us -uc -ui -b"' >~/.devscripts + # Configure debuild to skip lintian + echo 'DEBUILD_LINTIAN_OPTS="--no-lintian"' >>~/.devscripts + + # Generate final package + debmake \ + --fullname "Wazuh Team" \ + --email "hello@wazuh.com" \ + --invoke debuild \ + --package wazuh-indexer \ + --native \ + --revision "${REVISION}" \ + --upstreamversion "${version}-${REVISION}" + + # Move to the root folder, copy the package and clean. + cd ../../.. + package_name="wazuh-indexer_${version}-${REVISION}_${SUFFIX}.${EXT}" + # debmake creates the package one level above + cp "${TMP_DIR}/../${package_name}" "${OUTPUT}/dist/$ARTIFACT_PACKAGE_NAME" + + clean +} + +# ==== +# Main function +# ==== +function main() { + parse_args "${@}" + + echo "Assembling wazuh-indexer for $PLATFORM-$DISTRIBUTION-$ARCHITECTURE" + + VERSION=$(bash build-scripts/upstream-version.sh) + ARTIFACT_BUILD_NAME=$(ls "${OUTPUT}/dist/" | grep "wazuh-indexer-min.*$SUFFIX.*\.$EXT") + ARTIFACT_PACKAGE_NAME=${ARTIFACT_BUILD_NAME/-min/} + + # Create temporal directory and copy the min package there for extraction + TMP_DIR="${OUTPUT}/tmp/${TARGET}" + mkdir -p "$TMP_DIR" + cp "${OUTPUT}/dist/$ARTIFACT_BUILD_NAME" "${TMP_DIR}" + + case $PACKAGE in + tar) + assemble_tar + ;; + rpm) + assemble_rpm + ;; + deb) + assemble_deb + ;; + esac + + # Create checksum + sha512sum "${OUTPUT}/dist/$ARTIFACT_PACKAGE_NAME" >"${OUTPUT}/dist/$ARTIFACT_PACKAGE_NAME".sha512 +} + +main "${@}" diff --git a/build-scripts/baptizer.sh b/build-scripts/baptizer.sh new file mode 100644 index 0000000000000..537fae43491d5 --- /dev/null +++ b/build-scripts/baptizer.sh @@ -0,0 +1,169 @@ +#!/bin/bash + +set -e + +function usage() { + echo "Usage: $0 [args]" + echo "" + echo "Arguments:" + echo -e "-p PLATFORM\t[Optional] Platform, default is 'uname -s'." + echo -e "-a ARCHITECTURE\t[Optional] Build architecture, default is 'uname -m'." + echo -e "-d DISTRIBUTION\t[Optional] Distribution, default is 'tar'." + echo -e "-r REVISION\t[Optional] Package revision, default is '0'." + echo -e "-l PLUGINS_HASH\t[Optional] Commit hash from the wazuh-indexer-plugins repository" + echo -e "-e REPORTING_HASH\t[Optional] Commit hash from the wazuh-indexer-reporting repository" + echo -e "-m MIN\t[Optional] Use naming convention for minimal packages, default is 'false'." + echo -e "-x RELEASE\t[Optional] Use release naming convention, default is 'false'." + echo -e "-h help" +} + +# ==== +# Parse arguments +# ==== +function parse_args() { + + while getopts ":h:p:a:d:r:l:e:mx" arg; do + case $arg in + h) + usage + exit 1 + ;; + p) + PLATFORM=$OPTARG + ;; + a) + ARCHITECTURE=$OPTARG + ;; + d) + DISTRIBUTION=$OPTARG + ;; + r) + REVISION=$OPTARG + ;; + l) + PLUGINS_HASH=$OPTARG + ;; + e) + REPORTING_HASH=$OPTARG + ;; + m) + IS_MIN=true + ;; + x) + IS_RELEASE=true + ;; + :) + echo "Error: -${OPTARG} requires an argument" + usage + exit 1 + ;; + ?) + echo "Invalid option: -${arg}" + exit 1 + ;; + esac + done + + [ -z "$PLATFORM" ] && PLATFORM=$(uname -s | awk '{print tolower($0)}') + [ -z "$ARCHITECTURE" ] && ARCHITECTURE=$(uname -m) + [ -z "$DISTRIBUTION" ] && DISTRIBUTION="tar" + [ -z "$REVISION" ] && REVISION="0" + [ -z "$IS_MIN" ] && IS_MIN=false + [ -z "$IS_RELEASE" ] && IS_RELEASE=false + + case $PLATFORM-$DISTRIBUTION-$ARCHITECTURE in + linux-tar-x64 | darwin-tar-x64) + EXT="tar.gz" + SUFFIX="$PLATFORM-x64" + ;; + linux-tar-arm64 | darwin-tar-arm64) + EXT="tar.gz" + SUFFIX="$PLATFORM-arm64" + ;; + linux-deb-x64) + EXT="deb" + SUFFIX="amd64" + ;; + linux-deb-arm64) + EXT="deb" + SUFFIX="arm64" + ;; + linux-rpm-x64) + EXT="rpm" + SUFFIX="x86_64" + ;; + linux-rpm-arm64) + EXT="rpm" + SUFFIX="aarch64" + ;; + windows-zip-x64) + EXT="zip" + SUFFIX="$PLATFORM-x64" + ;; + windows-zip-arm64) + EXT="zip" + SUFFIX="$PLATFORM-arm64" + ;; + *) + echo "Unsupported platform-distribution-architecture combination: $PLATFORM-$DISTRIBUTION-$ARCHITECTURE" + exit 1 + ;; + esac + +} + +# ==== +# Naming convention for release packages +# ==== +function get_release_name() { + if [ "$EXT" = "rpm" ]; then + PACKAGE_NAME=wazuh-indexer-"$VERSION"-"$REVISION"."$SUFFIX"."$EXT" + else + PACKAGE_NAME=wazuh-indexer_"$VERSION"-"$REVISION"_"$SUFFIX"."$EXT" + fi + if "$IS_MIN"; then + PACKAGE_NAME=${PACKAGE_NAME/wazuh-indexer/wazuh-indexer-min} + fi +} + +# ==== +# Naming convention for pre-release packages +# ==== +function get_devel_name() { + PREFIX=wazuh-indexer + COMMIT_HASH=$GIT_COMMIT + # Add -min to the prefix if corresponds + if "$IS_MIN"; then + PREFIX="$PREFIX"-min + fi + # Generate composed commit hash + if [ -n "$PLUGINS_HASH" ] && [ -n "$REPORTING_HASH" ]; then + COMMIT_HASH="$GIT_COMMIT"-"$PLUGINS_HASH"-"$REPORTING_HASH" + fi + PACKAGE_NAME="$PREFIX"_"$VERSION"-"$REVISION"_"$SUFFIX"_"$COMMIT_HASH"."$EXT" +} + +# ==== +# Naming convention control function +# ==== +function get_package_name() { + if "$IS_RELEASE"; then + get_release_name + else + get_devel_name + fi +} + +# ==== +# Main function +# ==== +function main() { + parse_args "${@}" + + get_package_name + echo "$PACKAGE_NAME" +} + +GIT_COMMIT=$(git rev-parse --short HEAD) +VERSION=$( { String subdir = archiveTaskToSubprojectName(t.getName()); t.getDestinationDirectory().set(project.file(subdir + "/build/distributions")); - t.getArchiveBaseName().set("opensearch-min"); + t.getArchiveBaseName().set("wazuh-indexer-min"); }); } diff --git a/buildSrc/src/main/java/org/opensearch/gradle/internal/InternalDistributionBwcSetupPlugin.java b/buildSrc/src/main/java/org/opensearch/gradle/internal/InternalDistributionBwcSetupPlugin.java index 0502280cb69ad..e1dc53e9f9fc4 100644 --- a/buildSrc/src/main/java/org/opensearch/gradle/internal/InternalDistributionBwcSetupPlugin.java +++ b/buildSrc/src/main/java/org/opensearch/gradle/internal/InternalDistributionBwcSetupPlugin.java @@ -123,7 +123,7 @@ private void registerBwcArtifacts(Project bwcProject, DistributionProject distri String expandedDistConfiguration = "expanded-" + projectName; bwcProject.getConfigurations().create(expandedDistConfiguration); bwcProject.getArtifacts().add(expandedDistConfiguration, distributionProject.getExpandedDistDirectory(), artifact -> { - artifact.setName("opensearch"); + artifact.setName("wazuh-indexer"); artifact.builtBy(buildBwcTask); artifact.setType("directory"); }); @@ -132,7 +132,7 @@ private void registerBwcArtifacts(Project bwcProject, DistributionProject distri private void registerDistributionArchiveArtifact(Project bwcProject, DistributionProject distributionProject, String buildBwcTask) { String artifactFileName = distributionProject.getDistFile().getName(); - String artifactName = "opensearch"; + String artifactName = "wazuh-indexer"; String suffix = artifactFileName.endsWith("tar.gz") ? "tar.gz" : artifactFileName.substring(artifactFileName.length() - 3); int archIndex = artifactFileName.indexOf("x64"); @@ -258,12 +258,12 @@ private static class DistributionProject { if (version.onOrAfter("1.1.0")) { this.distFile = new File( checkoutDir, - baseDir + "/" + name + "/build/distributions/opensearch-min-" + version + "-SNAPSHOT" + classifier + "." + extension + baseDir + "/" + name + "/build/distributions/wazuh-indexer-min-" + version + "-SNAPSHOT" + classifier + "." + extension ); } else { this.distFile = new File( checkoutDir, - baseDir + "/" + name + "/build/distributions/opensearch-" + version + "-SNAPSHOT" + classifier + "." + extension + baseDir + "/" + name + "/build/distributions/wazuh-indexer-" + version + "-SNAPSHOT" + classifier + "." + extension ); } // we only ported this down to the 7.x branch. diff --git a/distribution/archives/build.gradle b/distribution/archives/build.gradle index 792b1ab57ddbc..034ac1528a6d9 100644 --- a/distribution/archives/build.gradle +++ b/distribution/archives/build.gradle @@ -33,8 +33,9 @@ import org.opensearch.gradle.JavaPackageType apply plugin: 'opensearch.internal-distribution-archive-setup' CopySpec archiveFiles(CopySpec modulesFiles, String distributionType, String platform, String architecture, JavaPackageType java) { + version = rootProject.file('VERSION').getText() return copySpec { - into("opensearch-${version}") { + into("wazuh-indexer-${version}") { into('lib') { with libFiles() } @@ -81,6 +82,9 @@ CopySpec archiveFiles(CopySpec modulesFiles, String distributionType, String pla pluginsDir.getParent() } } + into('') { + with versionFile() + } from(rootProject.projectDir) { include 'README.md' } diff --git a/distribution/build.gradle b/distribution/build.gradle index a323dd15ed9cf..1210e5b131deb 100644 --- a/distribution/build.gradle +++ b/distribution/build.gradle @@ -357,6 +357,15 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) { } } + versionFile = { + copySpec { + from(rootProject.file('VERSION')) + filePermissions{ + unix 0644 + } + } + } + modulesFiles = { platform -> copySpec { eachFile { @@ -523,18 +532,18 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) { *
path.conf
*
The default directory from which to load configuration. This is used in * the packaging scripts, but in that context it is always - * /etc/opensearch. Its also used in bin/opensearch-plugin, where it is - * /etc/opensearch for the os packages but $OPENSEARCH_HOME/config otherwise.
+ * /etc/wazuh-indexer. Its also used in bin/opensearch-plugin, where it is + * /etc/wazuh-indexer for the os packages but $OPENSEARCH_HOME/config otherwise. *
path.env
*
The env file sourced before bin/opensearch to set environment - * variables. Think /etc/defaults/opensearch.
+ * variables. Think /etc/defaults/wazuh-indexer. *
heap.min and heap.max
*
Default min and max heap
*
scripts.footer
*
Footer appended to control scripts embedded in the distribution that is * (almost) entirely there for cosmetic reasons.
*
stopping.timeout
- *
RPM's init script needs to wait for opensearch to stop before + *
RPM's init script needs to wait for wazuh-indexer to stop before * returning from stop and it needs a maximum time to wait. This is it. One * day. DEB retries forever.
* @@ -542,8 +551,8 @@ configure(subprojects.findAll { ['archives', 'packages'].contains(it.name) }) { subprojects { ext.expansionsForDistribution = { distributionType, jdk -> final String defaultHeapSize = "1g" - final String packagingPathData = "path.data: /var/lib/opensearch" - final String pathLogs = "/var/log/opensearch" + final String packagingPathData = "path.data: /var/lib/wazuh-indexer" + final String pathLogs = "/var/log/wazuh-indexer" final String packagingPathLogs = "path.logs: ${pathLogs}" final String packagingLoggc = "${pathLogs}/gc.log" @@ -558,8 +567,8 @@ subprojects { 'project.version': version, 'path.conf': [ - 'deb': '/etc/opensearch', - 'rpm': '/etc/opensearch', + 'deb': '/etc/wazuh-indexer', + 'rpm': '/etc/wazuh-indexer', 'def': '"$OPENSEARCH_HOME"/config' ], 'path.data': [ @@ -568,15 +577,15 @@ subprojects { 'def': '#path.data: /path/to/data' ], 'path.env': [ - 'deb': '/etc/default/opensearch', - 'rpm': '/etc/sysconfig/opensearch', + 'deb': '/etc/default/wazuh-indexer', + 'rpm': '/etc/sysconfig/wazuh-indexer', /* There isn't one of these files for tar or zip but its important to make an empty string here so the script can properly skip it. */ 'def': 'if [ -z "$OPENSEARCH_PATH_CONF" ]; then OPENSEARCH_PATH_CONF="$OPENSEARCH_HOME"/config; done', ], 'source.path.env': [ - 'deb': 'source /etc/default/opensearch', - 'rpm': 'source /etc/sysconfig/opensearch', + 'deb': 'source /etc/default/wazuh-indexer', + 'rpm': 'source /etc/sysconfig/wazuh-indexer', 'def': 'if [ -z "$OPENSEARCH_PATH_CONF" ]; then OPENSEARCH_PATH_CONF="$OPENSEARCH_HOME"/config; fi', ], 'path.logs': [ @@ -594,14 +603,14 @@ subprojects { 'heap.max': defaultHeapSize, 'heap.dump.path': [ - 'deb': "-XX:HeapDumpPath=/var/lib/opensearch", - 'rpm': "-XX:HeapDumpPath=/var/lib/opensearch", + 'deb': "-XX:HeapDumpPath=/var/lib/wazuh-indexer", + 'rpm': "-XX:HeapDumpPath=/var/lib/wazuh-indexer", 'def': "-XX:HeapDumpPath=data" ], 'error.file': [ - 'deb': "-XX:ErrorFile=/var/log/opensearch/hs_err_pid%p.log", - 'rpm': "-XX:ErrorFile=/var/log/opensearch/hs_err_pid%p.log", + 'deb': "-XX:ErrorFile=/usr/share/wazuh-indexer/hs_err_pid%p.log", + 'rpm': "-XX:ErrorFile=/usr/share/wazuh-indexer/hs_err_pid%p.log", 'def': "-XX:ErrorFile=logs/hs_err_pid%p.log" ], diff --git a/distribution/docker/build.gradle b/distribution/docker/build.gradle index ad8678c608b54..f0641aa78d617 100644 --- a/distribution/docker/build.gradle +++ b/distribution/docker/build.gradle @@ -60,7 +60,7 @@ ext.expansions = { Architecture architecture, DockerBase base, boolean local -> classifier = "linux-\$(arch)" } - final String opensearch = "opensearch-min-${VersionProperties.getOpenSearch()}-${classifier}.tar.gz" + final String opensearch = "wazuh-indexer-min-${VersionProperties.getOpenSearch()}-${classifier}.tar.gz" /* Both the following Dockerfile commands put the resulting artifact at * the same location, regardless of classifier, so that the commands that diff --git a/distribution/docker/docker-compose.yml b/distribution/docker/docker-compose.yml index 5ed2b159ffe2b..bb4eb53cd49d2 100644 --- a/distribution/docker/docker-compose.yml +++ b/distribution/docker/docker-compose.yml @@ -18,7 +18,7 @@ services: - node.store.allow_mmap=false volumes: - ./build/repo:/tmp/opensearch-repo - - ./build/logs/1:/usr/share/opensearch/logs + - ./build/logs/1:/usr/share/wazuh-indexer/logs ports: - "9200" ulimits: @@ -42,7 +42,7 @@ services: - node.store.allow_mmap=false volumes: - ./build/repo:/tmp/opensearch-repo - - ./build/logs/2:/usr/share/opensearch/logs + - ./build/logs/2:/usr/share/wazuh-indexer/logs ports: - "9200" ulimits: diff --git a/distribution/docker/docker-test-entrypoint.sh b/distribution/docker/docker-test-entrypoint.sh index 1cfc62f6b02b0..6ff8306868a47 100755 --- a/distribution/docker/docker-test-entrypoint.sh +++ b/distribution/docker/docker-test-entrypoint.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash set -e -o pipefail -cd /usr/share/opensearch/bin/ +cd /usr/share/wazuh-indexer/bin/ -/usr/local/bin/docker-entrypoint.sh | tee > /usr/share/opensearch/logs/console.log +/usr/local/bin/docker-entrypoint.sh | tee > /usr/share/wazuh-indexer/logs/console.log diff --git a/distribution/docker/src/docker/Dockerfile b/distribution/docker/src/docker/Dockerfile index c980217b0b8dc..268af870ebae9 100644 --- a/distribution/docker/src/docker/Dockerfile +++ b/distribution/docker/src/docker/Dockerfile @@ -40,13 +40,13 @@ RUN set -eux ; \\ mv \${tini_bin} /tini ; \\ chmod +x /tini -RUN mkdir /usr/share/opensearch -WORKDIR /usr/share/opensearch +RUN mkdir /usr/share/wazuh-indexer +WORKDIR /usr/share/wazuh-indexer ${source_opensearch} RUN tar zxf /opt/opensearch.tar.gz --strip-components=1 -RUN sed -i -e 's/OPENSEARCH_DISTRIBUTION_TYPE=tar/OPENSEARCH_DISTRIBUTION_TYPE=docker/' /usr/share/opensearch/bin/opensearch-env +RUN sed -i -e 's/OPENSEARCH_DISTRIBUTION_TYPE=tar/OPENSEARCH_DISTRIBUTION_TYPE=docker/' /usr/share/wazuh-indexer/bin/opensearch-env RUN mkdir -p config config/jvm.options.d data logs RUN chmod 0775 config config/jvm.options.d data logs COPY config/opensearch.yml config/log4j2.properties config/ @@ -74,27 +74,27 @@ RUN sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-Linux-* && \\ done; \\ (exit \$exit_code) -RUN groupadd -g 1000 opensearch && \\ - adduser -u 1000 -g 1000 -G 0 -d /usr/share/opensearch opensearch && \\ - chmod 0775 /usr/share/opensearch && \\ - chown -R 1000:0 /usr/share/opensearch +RUN groupadd -g 1000 wazuh-indexer && \\ + adduser -u 1000 -g 1000 -G 0 -d /usr/share/wazuh-indexer wazuh-indexer && \\ + chmod 0775 /usr/share/wazuh-indexer && \\ + chown -R 1000:0 /usr/share/wazuh-indexer -WORKDIR /usr/share/opensearch -COPY --from=builder --chown=1000:0 /usr/share/opensearch /usr/share/opensearch +WORKDIR /usr/share/wazuh-indexer +COPY --from=builder --chown=1000:0 /usr/share/wazuh-indexer /usr/share/wazuh-indexer COPY --from=builder --chown=0:0 /tini /tini # Replace OpenJDK's built-in CA certificate keystore with the one from the OS # vendor. The latter is superior in several ways. # REF: https://github.com/elastic/elasticsearch-docker/issues/171 -RUN ln -sf /etc/pki/ca-trust/extracted/java/cacerts /usr/share/opensearch/jdk/lib/security/cacerts +RUN ln -sf /etc/pki/ca-trust/extracted/java/cacerts /usr/share/wazuh-indexer/jdk/lib/security/cacerts -ENV PATH /usr/share/opensearch/bin:\$PATH +ENV PATH /usr/share/wazuh-indexer/bin:\$PATH COPY bin/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh # The JDK's directories' permissions don't allow `java` to be executed under a different # group to the default. Fix this. -RUN find /usr/share/opensearch/jdk -type d -exec chmod 0755 '{}' \\; && \\ +RUN find /usr/share/wazuh-indexer/jdk -type d -exec chmod 0755 '{}' \\; && \\ chmod g=u /etc/passwd && \\ chmod 0775 /usr/local/bin/docker-entrypoint.sh diff --git a/distribution/docker/src/docker/bin/docker-entrypoint.sh b/distribution/docker/src/docker/bin/docker-entrypoint.sh index 33c68afce0bfc..e24c5cb6a7436 100644 --- a/distribution/docker/src/docker/bin/docker-entrypoint.sh +++ b/distribution/docker/src/docker/bin/docker-entrypoint.sh @@ -46,7 +46,7 @@ fi # This is also sourced in opensearch-env, and is only needed here # as well because we use ELASTIC_PASSWORD below. Sourcing this script # is idempotent. -source /usr/share/opensearch/bin/opensearch-env-from-file +source /usr/share/wazuh-indexer/bin/opensearch-env-from-file if [[ -f bin/opensearch-users ]]; then # Check for the ELASTIC_PASSWORD environment variable to set the @@ -56,7 +56,7 @@ if [[ -f bin/opensearch-users ]]; then # enabled, but we have no way of knowing which node we are yet. We'll just # honor the variable if it's present. if [[ -n "$ELASTIC_PASSWORD" ]]; then - [[ -f /usr/share/opensearch/config/opensearch.keystore ]] || (run_as_other_user_if_needed opensearch-keystore create) + [[ -f /usr/share/wazuh-indexer/config/opensearch.keystore ]] || (run_as_other_user_if_needed opensearch-keystore create) if ! (run_as_other_user_if_needed opensearch-keystore has-passwd --silent) ; then # keystore is unencrypted if ! (run_as_other_user_if_needed opensearch-keystore list | grep -q '^bootstrap.password$'); then @@ -76,8 +76,8 @@ fi if [[ "$(id -u)" == "0" ]]; then # If requested and running as root, mutate the ownership of bind-mounts if [[ -n "$TAKE_FILE_OWNERSHIP" ]]; then - chown -R 1000:0 /usr/share/opensearch/{data,logs} + chown -R 1000:0 /usr/share/wazuh-indexer/{data,logs} fi fi -run_as_other_user_if_needed /usr/share/opensearch/bin/opensearch <<<"$KEYSTORE_PASSWORD" +run_as_other_user_if_needed /usr/share/wazuh-indexer/bin/opensearch <<<"$KEYSTORE_PASSWORD" diff --git a/distribution/packages/build.gradle b/distribution/packages/build.gradle index 659b25129b23c..970b56e4a8a16 100644 --- a/distribution/packages/build.gradle +++ b/distribution/packages/build.gradle @@ -58,8 +58,8 @@ import java.util.regex.Pattern * The following commands are useful when it comes to check the user/group * and files permissions set within the RPM and DEB packages: * - * rpm -qlp --dump path/to/opensearch.rpm - * dpkg -c path/to/opensearch.deb + * rpm -qlp --dump path/to/wazuh-indexer.rpm + * dpkg -c path/to/wazuh-indexer.deb */ plugins { @@ -79,20 +79,20 @@ void addProcessFilesTask(String type, boolean jdk) { MavenFilteringHack.filter(it, expansionsForDistribution(type, jdk)) } - into('etc/opensearch') { + into('etc/wazuh-indexer') { with configFiles(type, jdk) } MavenFilteringHack.filter(it, expansionsForDistribution(type, jdk)) doLast { // create empty dirs, we set the permissions when configuring the packages - mkdir "${packagingFiles}/var/log/opensearch" - mkdir "${packagingFiles}/var/lib/opensearch" - mkdir "${packagingFiles}/usr/share/opensearch/plugins" + mkdir "${packagingFiles}/var/log/wazuh-indexer" + mkdir "${packagingFiles}/var/lib/wazuh-indexer" + mkdir "${packagingFiles}/usr/share/wazuh-indexer/plugins" - // bare empty dir for /etc/opensearch and /etc/opensearch/jvm.options.d - mkdir "${packagingFiles}/opensearch" - mkdir "${packagingFiles}/opensearch/jvm.options.d" + // bare empty dir for /etc/wazuh-indexer and /etc/wazuh-indexer/jvm.options.d + mkdir "${packagingFiles}/wazuh-indexer" + mkdir "${packagingFiles}/wazuh-indexer/jvm.options.d" } } } @@ -106,12 +106,13 @@ addProcessFilesTask('rpm', false) // since we have different templated files that need to be consumed, but the structure // is the same Closure commonPackageConfig(String type, boolean jdk, String architecture) { + project.version = rootProject.file('VERSION').getText() return { onlyIf { OS.current().equals(OS.WINDOWS) == false } dependsOn "process'${jdk ? '' : 'NoJdk'}${type.capitalize()}Files" - packageName "opensearch" + packageName "wazuh-indexer" if (type == 'deb') { if (architecture == 'x64') { arch('amd64') @@ -154,7 +155,7 @@ Closure commonPackageConfig(String type, boolean jdk, String architecture) { // top level "into" directive is not inherited from ospackage for some reason, so we must // specify it again explicitly for copying common files - into('/usr/share/opensearch') { + into('/usr/share/wazuh-indexer') { into('bin') { with binFiles(type, jdk) } @@ -175,6 +176,9 @@ Closure commonPackageConfig(String type, boolean jdk, String architecture) { with jdkFiles(project, 'linux', architecture) } } + into ('') { + with versionFile() + } // we need to specify every intermediate directory in these paths so the package managers know they are explicitly // intended to manage them; otherwise they may be left behind on uninstallation. duplicate calls of the same // directory are fine @@ -203,7 +207,7 @@ Closure commonPackageConfig(String type, boolean jdk, String architecture) { } } else { assert type == 'rpm' - into('/usr/share/opensearch') { + into('/usr/share/wazuh-indexer') { from(rootProject.file('licenses')) { include 'APACHE-LICENSE-2.0.txt' rename { 'LICENSE.txt' } @@ -215,29 +219,29 @@ Closure commonPackageConfig(String type, boolean jdk, String architecture) { } // ========= config files ========= - configurationFile '/etc/opensearch/opensearch.yml' - configurationFile '/etc/opensearch/jvm.options' - configurationFile '/etc/opensearch/log4j2.properties' + configurationFile '/etc/wazuh-indexer/opensearch.yml' + configurationFile '/etc/wazuh-indexer/jvm.options' + configurationFile '/etc/wazuh-indexer/log4j2.properties' from("${packagingFiles}") { dirPermissions { unix 0750 } into('/etc') - permissionGroup 'opensearch' + permissionGroup 'wazuh-indexer' includeEmptyDirs true createDirectoryEntry true - include("opensearch") // empty dir, just to add directory entry - include("opensearch/jvm.options.d") // empty dir, just to add directory entry + include("wazuh-indexer") // empty dir, just to add directory entry + include("wazuh-indexer/jvm.options.d") // empty dir, just to add directory entry } - from("${packagingFiles}/etc/opensearch") { - into('/etc/opensearch') + from("${packagingFiles}/etc/wazuh-indexer") { + into('/etc/wazuh-indexer') dirPermissions { unix 0750 } filePermissions{ unix 0660 } - permissionGroup 'opensearch' + permissionGroup 'wazuh-indexer' includeEmptyDirs true createDirectoryEntry true fileType CONFIG | NOREPLACE @@ -246,35 +250,35 @@ Closure commonPackageConfig(String type, boolean jdk, String architecture) { configurationFile envFile into(new File(envFile).getParent()) { fileType CONFIG | NOREPLACE - permissionGroup 'opensearch' + permissionGroup 'wazuh-indexer' filePermissions { unix 0660 } - from "${packagingFiles}/env/opensearch" + from "${packagingFiles}/env/wazuh-indexer" } // ========= systemd ========= into('/usr/lib/tmpfiles.d') { - from "${packagingFiles}/systemd/opensearch.conf" + from "${packagingFiles}/systemd/wazuh-indexer.conf" filePermissions { unix 0644 } } into('/usr/lib/systemd/system') { fileType CONFIG | NOREPLACE - from "${packagingFiles}/systemd/opensearch.service" + from "${packagingFiles}/systemd/wazuh-indexer.service" filePermissions { unix 0644 } } into('/usr/lib/sysctl.d') { fileType CONFIG | NOREPLACE - from "${packagingFiles}/systemd/sysctl/opensearch.conf" + from "${packagingFiles}/systemd/sysctl/wazuh-indexer.conf" filePermissions { unix 0644 } } - into('/usr/share/opensearch/bin') { + into('/usr/share/wazuh-indexer/bin') { from "${packagingFiles}/systemd/systemd-entrypoint" filePermissions { unix 0755 @@ -282,13 +286,13 @@ Closure commonPackageConfig(String type, boolean jdk, String architecture) { } // ========= sysV init ========= - configurationFile '/etc/init.d/opensearch' + configurationFile '/etc/init.d/wazuh-indexer' into('/etc/init.d') { filePermissions { unix 0750 } fileType CONFIG | NOREPLACE - from "${packagingFiles}/init.d/opensearch" + from "${packagingFiles}/init.d/wazuh-indexer" } // ========= empty dirs ========= @@ -307,11 +311,11 @@ Closure commonPackageConfig(String type, boolean jdk, String architecture) { } } } - copyEmptyDir('/var/log/opensearch', 'opensearch', 'opensearch', 0750) - copyEmptyDir('/var/lib/opensearch', 'opensearch', 'opensearch', 0750) - copyEmptyDir('/usr/share/opensearch/plugins', 'root', 'root', 0755) + copyEmptyDir('/var/log/wazuh-indexer', 'wazuh-indexer', 'wazuh-indexer', 0750) + copyEmptyDir('/var/lib/wazuh-indexer', 'wazuh-indexer', 'wazuh-indexer', 0750) + copyEmptyDir('/usr/share/wazuh-indexer/plugins', 'root', 'root', 0755) - into '/usr/share/opensearch' + into '/usr/share/wazuh-indexer' with noticeFile(jdk) } } @@ -320,13 +324,13 @@ apply plugin: 'com.netflix.nebula.ospackage-base' // this is package indepdendent configuration ospackage { - maintainer 'OpenSearch Team ' + maintainer 'Wazuh, Inc ' summary 'Distributed RESTful search engine built for the cloud' packageDescription ''' Reference documentation can be found at - https://github.com/opensearch-project/OpenSearch + https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html '''.stripIndent().trim() - url 'https://github.com/opensearch-project/OpenSearch' + url 'https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html' // signing setup if (project.hasProperty('signing.password') && BuildParams.isSnapshotBuild() == false) { @@ -345,7 +349,7 @@ ospackage { user 'root' permissionGroup 'root' - into '/usr/share/opensearch' + into '/usr/share/wazuh-indexer' } Closure commonDebConfig(boolean jdk, String architecture) { @@ -365,12 +369,6 @@ Closure commonDebConfig(boolean jdk, String architecture) { requires 'libc6' requires 'adduser' - into('/usr/share/lintian/overrides') { - from('src/deb/lintian/opensearch') - filePermissions { - unix 0644 - } - } } } @@ -410,7 +408,7 @@ Closure commonRpmConfig(boolean jdk, String architecture) { vendor 'OpenSearch' // TODO ospackage doesn't support icon but we used to have one - // without this the rpm will have parent dirs of any files we copy in, eg /etc/opensearch + // without this the rpm will have parent dirs of any files we copy in, eg /etc/wazuh-indexer addParentDirs false } } @@ -505,7 +503,7 @@ subprojects { Path copyrightPath String expectedLicense String licenseFilename - copyrightPath = packageExtractionDir.toPath().resolve("usr/share/doc/opensearch/copyright") + copyrightPath = packageExtractionDir.toPath().resolve("usr/share/doc/wazuh-indexer/copyright") expectedLicense = "ASL-2.0" licenseFilename = "APACHE-LICENSE-2.0.txt" final List header = Arrays.asList("Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/", @@ -524,7 +522,7 @@ subprojects { doLast { String licenseFilename = "APACHE-LICENSE-2.0.txt" final List licenseLines = Files.readAllLines(rootDir.toPath().resolve("licenses/" + licenseFilename)) - final Path licensePath = packageExtractionDir.toPath().resolve("usr/share/opensearch/LICENSE.txt") + final Path licensePath = packageExtractionDir.toPath().resolve("usr/share/wazuh-indexer/LICENSE.txt") assertLinesInFile(licensePath, licenseLines) } } @@ -537,7 +535,7 @@ subprojects { } doLast { final List noticeLines = Arrays.asList("OpenSearch (https://opensearch.org/)", "Copyright OpenSearch Contributors") - final Path noticePath = packageExtractionDir.toPath().resolve("usr/share/opensearch/NOTICE.txt") + final Path noticePath = packageExtractionDir.toPath().resolve("usr/share/wazuh-indexer/NOTICE.txt") assertLinesInFile(noticePath, noticeLines) } } diff --git a/distribution/packages/src/common/env/opensearch b/distribution/packages/src/common/env/wazuh-indexer similarity index 68% rename from distribution/packages/src/common/env/opensearch rename to distribution/packages/src/common/env/wazuh-indexer index 198bcfde90c4c..553fefc3adba7 100644 --- a/distribution/packages/src/common/env/opensearch +++ b/distribution/packages/src/common/env/wazuh-indexer @@ -1,19 +1,19 @@ ################################ -# OpenSearch +# wazuh-indexer ################################ -# OpenSearch home directory -#OPENSEARCH_HOME=/usr/share/opensearch +# wazuh-indexer home directory +#OPENSEARCH_HOME=/usr/share/wazuh-indexer -# OpenSearch Java path +# wazuh-indexer Java path #OPENSEARCH_JAVA_HOME= -# OpenSearch configuration directory +# wazuh-indexer configuration directory # Note: this setting will be shared with command-line tools OPENSEARCH_PATH_CONF=${path.conf} -# OpenSearch PID directory -#PID_DIR=/var/run/opensearch +# wazuh-indexer PID directory +#PID_DIR=/run/wazuh-indexer # Additional Java OPTS #OPENSEARCH_JAVA_OPTS= @@ -22,12 +22,12 @@ OPENSEARCH_PATH_CONF=${path.conf} #RESTART_ON_UPGRADE=true ################################ -# OpenSearch service +# wazuh-indexer service ################################ # SysV init.d # -# The number of seconds to wait before checking if OpenSearch started successfully as a daemon process +# The number of seconds to wait before checking if wazuh-indexer started successfully as a daemon process OPENSEARCH_STARTUP_SLEEP_TIME=5 ################################ @@ -36,17 +36,17 @@ OPENSEARCH_STARTUP_SLEEP_TIME=5 # Specifies the maximum file descriptor number that can be opened by this process # When using Systemd, this setting is ignored and the LimitNOFILE defined in -# /usr/lib/systemd/system/opensearch.service takes precedence +# /usr/lib/systemd/system/wazuh-indexer.service takes precedence #MAX_OPEN_FILES=65535 # The maximum number of bytes of memory that may be locked into RAM # Set to "unlimited" if you use the 'bootstrap.memory_lock: true' option # in opensearch.yml. # When using systemd, LimitMEMLOCK must be set in a unit file such as -# /etc/systemd/system/opensearch.service.d/override.conf. +# /etc/systemd/system/wazuh-indexer.service.d/override.conf. #MAX_LOCKED_MEMORY=unlimited # Maximum number of VMA (Virtual Memory Areas) a process can own # When using Systemd, this setting is ignored and the 'vm.max_map_count' -# property is set at boot time in /usr/lib/sysctl.d/opensearch.conf +# property is set at boot time in /usr/lib/sysctl.d/wazuh-indexer.conf #MAX_MAP_COUNT=262144 diff --git a/distribution/packages/src/common/scripts/postinst b/distribution/packages/src/common/scripts/postinst index 308e86b850247..5c1e942f87e18 100644 --- a/distribution/packages/src/common/scripts/postinst +++ b/distribution/packages/src/common/scripts/postinst @@ -50,52 +50,52 @@ case "$1" in ;; esac -# to pick up /usr/lib/sysctl.d/opensearch.conf +# to pick up /usr/lib/sysctl.d/wazuh-indexer.conf if command -v systemctl > /dev/null; then systemctl restart systemd-sysctl.service || true fi if [ "x$IS_UPGRADE" != "xtrue" ]; then if command -v systemctl >/dev/null; then - echo "### NOT starting on installation, please execute the following statements to configure opensearch service to start automatically using systemd" + echo "### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd" echo " sudo systemctl daemon-reload" - echo " sudo systemctl enable opensearch.service" - echo "### You can start opensearch service by executing" - echo " sudo systemctl start opensearch.service" + echo " sudo systemctl enable wazuh-indexer.service" + echo "### You can start wazuh-indexer service by executing" + echo " sudo systemctl start wazuh-indexer.service" elif command -v chkconfig >/dev/null; then - echo "### NOT starting on installation, please execute the following statements to configure opensearch service to start automatically using chkconfig" - echo " sudo chkconfig --add opensearch" - echo "### You can start opensearch service by executing" - echo " sudo service opensearch start" + echo "### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using chkconfig" + echo " sudo chkconfig --add wazuh-indexer" + echo "### You can start wazuh-indexer service by executing" + echo " sudo service wazuh-indexer start" elif command -v update-rc.d >/dev/null; then - echo "### NOT starting on installation, please execute the following statements to configure opensearch service to start automatically using chkconfig" - echo " sudo update-rc.d opensearch defaults 95 10" - echo "### You can start opensearch service by executing" - echo " sudo /etc/init.d/opensearch start" + echo "### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using chkconfig" + echo " sudo update-rc.d wazuh-indexer defaults 95 10" + echo "### You can start wazuh-indexer service by executing" + echo " sudo /etc/init.d/wazuh-indexer start" fi elif [ "$RESTART_ON_UPGRADE" = "true" ]; then - echo -n "Restarting opensearch service..." + echo -n "Restarting wazuh-indexer service..." if command -v systemctl >/dev/null; then systemctl daemon-reload - systemctl restart opensearch.service || true + systemctl restart wazuh-indexer.service || true - elif [ -x /etc/init.d/opensearch ]; then + elif [ -x /etc/init.d/wazuh-indexer ]; then if command -v invoke-rc.d >/dev/null; then - invoke-rc.d opensearch stop || true - invoke-rc.d opensearch start || true + invoke-rc.d wazuh-indexer stop || true + invoke-rc.d wazuh-indexer start || true else - /etc/init.d/opensearch restart || true + /etc/init.d/wazuh-indexer restart || true fi # older suse linux distributions do not ship with systemd # but do not have an /etc/init.d/ directory - # this tries to start the opensearch service on these + # this tries to start the wazuh-indexer service on these # as well without failing this script - elif [ -x /etc/rc.d/init.d/opensearch ] ; then - /etc/rc.d/init.d/opensearch restart || true + elif [ -x /etc/rc.d/init.d/wazuh-indexer ] ; then + /etc/rc.d/init.d/wazuh-indexer restart || true fi echo " OK" fi @@ -103,16 +103,16 @@ fi # the equivalent code for rpm is in posttrans if [ "$PACKAGE" = "deb" ]; then if [ ! -f "${OPENSEARCH_PATH_CONF}"/opensearch.keystore ]; then - /usr/share/opensearch/bin/opensearch-keystore create - chown root:opensearch "${OPENSEARCH_PATH_CONF}"/opensearch.keystore + /usr/share/wazuh-indexer/bin/opensearch-keystore create + chown root:wazuh-indexer "${OPENSEARCH_PATH_CONF}"/opensearch.keystore chmod 660 "${OPENSEARCH_PATH_CONF}"/opensearch.keystore md5sum "${OPENSEARCH_PATH_CONF}"/opensearch.keystore > "${OPENSEARCH_PATH_CONF}"/.opensearch.keystore.initial_md5sum else - if /usr/share/opensearch/bin/opensearch-keystore has-passwd --silent ; then + if /usr/share/wazuh-indexer/bin/opensearch-keystore has-passwd --silent ; then echo "### Warning: unable to upgrade encrypted keystore" 1>&2 echo " Please run opensearch-keystore upgrade and enter password" 1>&2 else - /usr/share/opensearch/bin/opensearch-keystore upgrade + /usr/share/wazuh-indexer/bin/opensearch-keystore upgrade fi fi fi diff --git a/distribution/packages/src/common/scripts/postrm b/distribution/packages/src/common/scripts/postrm index 75eded92a8e41..ea5bf80944481 100644 --- a/distribution/packages/src/common/scripts/postrm +++ b/distribution/packages/src/common/scripts/postrm @@ -32,7 +32,7 @@ case "$1" in REMOVE_JVM_OPTIONS_DIRECTORY=true REMOVE_USER_AND_GROUP=true ;; - failed-upgrade|abort-install|abort-upgrade|disappear|upgrade|disappear) + failed-upgrade|abort-install|abort-upgrade|disappear|upgrade) ;; # RedHat #################################################### @@ -53,34 +53,34 @@ esac if [ "$REMOVE_DIRS" = "true" ]; then - if [ -d /var/log/opensearch ]; then + if [ -d /var/log/wazuh-indexer ]; then echo -n "Deleting log directory..." - rm -rf /var/log/opensearch + rm -rf /var/log/wazuh-indexer echo " OK" fi - if [ -d /usr/share/opensearch/plugins ]; then + if [ -d /usr/share/wazuh-indexer/plugins ]; then echo -n "Deleting plugins directory..." - rm -rf /usr/share/opensearch/plugins + rm -rf /usr/share/wazuh-indexer/plugins echo " OK" fi # plugins may have contained bin files - if [ -d /usr/share/opensearch/bin ]; then + if [ -d /usr/share/wazuh-indexer/bin ]; then echo -n "Deleting plugin bin directories..." - rm -rf /usr/share/opensearch/bin + rm -rf /usr/share/wazuh-indexer/bin echo " OK" fi - if [ -d /var/run/opensearch ]; then + if [ -d /run/wazuh-indexer ]; then echo -n "Deleting PID directory..." - rm -rf /var/run/opensearch + rm -rf /run/wazuh-indexer echo " OK" fi # Delete the data directory if and only if empty - if [ -d /var/lib/opensearch ]; then - rmdir --ignore-fail-on-non-empty /var/lib/opensearch + if [ -d /var/lib/wazuh-indexer ]; then + rmdir --ignore-fail-on-non-empty /var/lib/wazuh-indexer fi # delete the jvm.options.d directory if and only if empty @@ -105,12 +105,12 @@ if [ "$REMOVE_DIRS" = "true" ]; then fi if [ "$REMOVE_USER_AND_GROUP" = "true" ]; then - if id opensearch > /dev/null 2>&1 ; then - userdel opensearch + if id wazuh-indexer > /dev/null 2>&1 ; then + userdel wazuh-indexer fi - if getent group opensearch > /dev/null 2>&1 ; then - groupdel opensearch + if getent group wazuh-indexer > /dev/null 2>&1 ; then + groupdel wazuh-indexer fi fi diff --git a/distribution/packages/src/common/scripts/posttrans b/distribution/packages/src/common/scripts/posttrans index 3b3d4faa766ee..bf6c844ab82bb 100644 --- a/distribution/packages/src/common/scripts/posttrans +++ b/distribution/packages/src/common/scripts/posttrans @@ -6,16 +6,16 @@ fi export OPENSEARCH_PATH_CONF=${OPENSEARCH_PATH_CONF:-${path.conf}} if [ ! -f "${OPENSEARCH_PATH_CONF}"/opensearch.keystore ]; then - /usr/share/opensearch/bin/opensearch-keystore create - chown root:opensearch "${OPENSEARCH_PATH_CONF}"/opensearch.keystore + /usr/share/wazuh-indexer/bin/opensearch-keystore create + chown root:wazuh-indexer "${OPENSEARCH_PATH_CONF}"/opensearch.keystore chmod 660 "${OPENSEARCH_PATH_CONF}"/opensearch.keystore md5sum "${OPENSEARCH_PATH_CONF}"/opensearch.keystore > "${OPENSEARCH_PATH_CONF}"/.opensearch.keystore.initial_md5sum else - if /usr/share/opensearch/bin/opensearch-keystore has-passwd --silent ; then + if /usr/share/wazuh-indexer/bin/opensearch-keystore has-passwd --silent ; then echo "### Warning: unable to upgrade encrypted keystore" 1>&2 echo " Please run opensearch-keystore upgrade and enter password" 1>&2 else - /usr/share/opensearch/bin/opensearch-keystore upgrade + /usr/share/wazuh-indexer/bin/opensearch-keystore upgrade fi fi diff --git a/distribution/packages/src/common/scripts/preinst b/distribution/packages/src/common/scripts/preinst index 31e5b803b1604..75d93c73fccf1 100644 --- a/distribution/packages/src/common/scripts/preinst +++ b/distribution/packages/src/common/scripts/preinst @@ -29,24 +29,24 @@ case "$1" in # Debian #################################################### install|upgrade) - # Create opensearch group if not existing - if ! getent group opensearch > /dev/null 2>&1 ; then - echo -n "Creating opensearch group..." - addgroup --quiet --system opensearch + # Create wazuh-indexer group if not existing + if ! getent group wazuh-indexer > /dev/null 2>&1 ; then + echo -n "Creating wazuh-indexer group..." + addgroup --quiet --system wazuh-indexer echo " OK" fi - # Create opensearch user if not existing - if ! id opensearch > /dev/null 2>&1 ; then - echo -n "Creating opensearch user..." + # Create wazuh-indexer user if not existing + if ! id wazuh-indexer > /dev/null 2>&1 ; then + echo -n "Creating wazuh-indexer user..." adduser --quiet \ --system \ --no-create-home \ --home /nonexistent \ - --ingroup opensearch \ + --ingroup wazuh-indexer \ --disabled-password \ --shell /bin/false \ - opensearch + wazuh-indexer echo " OK" fi ;; @@ -56,23 +56,23 @@ case "$1" in # RedHat #################################################### 1|2) - # Create opensearch group if not existing - if ! getent group opensearch > /dev/null 2>&1 ; then - echo -n "Creating opensearch group..." - groupadd -r opensearch + # Create wazuh-indexer group if not existing + if ! getent group wazuh-indexer > /dev/null 2>&1 ; then + echo -n "Creating wazuh-indexer group..." + groupadd -r wazuh-indexer echo " OK" fi - # Create opensearch user if not existing - if ! id opensearch > /dev/null 2>&1 ; then - echo -n "Creating opensearch user..." + # Create wazuh-indexer user if not existing + if ! id wazuh-indexer > /dev/null 2>&1 ; then + echo -n "Creating wazuh-indexer user..." useradd --system \ --no-create-home \ --home-dir /nonexistent \ - --gid opensearch \ + --gid wazuh-indexer \ --shell /sbin/nologin \ - --comment "opensearch user" \ - opensearch + --comment "wazuh-indexer user" \ + wazuh-indexer echo " OK" fi ;; diff --git a/distribution/packages/src/common/scripts/prerm b/distribution/packages/src/common/scripts/prerm index dd3cadd383dbe..7609abb950339 100644 --- a/distribution/packages/src/common/scripts/prerm +++ b/distribution/packages/src/common/scripts/prerm @@ -51,23 +51,23 @@ esac # Stops the service if [ "$STOP_REQUIRED" = "true" ]; then - echo -n "Stopping opensearch service..." + echo -n "Stopping wazuh-indexer service..." if command -v systemctl >/dev/null; then - systemctl --no-reload stop opensearch.service + systemctl --no-reload stop wazuh-indexer.service - elif [ -x /etc/init.d/opensearch ]; then + elif [ -x /etc/init.d/wazuh-indexer ]; then if command -v invoke-rc.d >/dev/null; then - invoke-rc.d opensearch stop + invoke-rc.d wazuh-indexer stop else - /etc/init.d/opensearch stop + /etc/init.d/wazuh-indexer stop fi # older suse linux distributions do not ship with systemd # but do not have an /etc/init.d/ directory - # this tries to start the opensearch service on these + # this tries to start the wazuh-indexer service on these # as well without failing this script - elif [ -x /etc/rc.d/init.d/opensearch ] ; then - /etc/rc.d/init.d/opensearch stop + elif [ -x /etc/rc.d/init.d/wazuh-indexer ] ; then + /etc/rc.d/init.d/wazuh-indexer stop fi echo " OK" fi @@ -80,15 +80,15 @@ fi if [ "$REMOVE_SERVICE" = "true" ]; then if command -v systemctl >/dev/null; then - systemctl disable opensearch.service > /dev/null 2>&1 || true + systemctl disable wazuh-indexer.service > /dev/null 2>&1 || true fi if command -v chkconfig >/dev/null; then - chkconfig --del opensearch 2> /dev/null || true + chkconfig --del wazuh-indexer 2> /dev/null || true fi if command -v update-rc.d >/dev/null; then - update-rc.d opensearch remove >/dev/null || true + update-rc.d wazuh-indexer remove >/dev/null || true fi fi diff --git a/distribution/packages/src/common/systemd/opensearch.conf b/distribution/packages/src/common/systemd/opensearch.conf deleted file mode 100644 index 1245c11a6b7e8..0000000000000 --- a/distribution/packages/src/common/systemd/opensearch.conf +++ /dev/null @@ -1 +0,0 @@ -d /var/run/opensearch 0755 opensearch opensearch - - diff --git a/distribution/packages/src/common/systemd/sysctl/opensearch.conf b/distribution/packages/src/common/systemd/sysctl/wazuh-indexer.conf similarity index 100% rename from distribution/packages/src/common/systemd/sysctl/opensearch.conf rename to distribution/packages/src/common/systemd/sysctl/wazuh-indexer.conf diff --git a/distribution/packages/src/common/systemd/systemd-entrypoint b/distribution/packages/src/common/systemd/systemd-entrypoint index de59b4573f79a..cc24e7b3b5b5f 100644 --- a/distribution/packages/src/common/systemd/systemd-entrypoint +++ b/distribution/packages/src/common/systemd/systemd-entrypoint @@ -6,7 +6,7 @@ set -e -o pipefail if [ -n "$OPENSEARCH_KEYSTORE_PASSPHRASE_FILE" ] ; then - exec /usr/share/opensearch/bin/opensearch "$@" < "$OPENSEARCH_KEYSTORE_PASSPHRASE_FILE" + exec /usr/share/wazuh-indexer/bin/opensearch "$@" < "$OPENSEARCH_KEYSTORE_PASSPHRASE_FILE" else - exec /usr/share/opensearch/bin/opensearch "$@" + exec /usr/share/wazuh-indexer/bin/opensearch "$@" fi diff --git a/distribution/packages/src/common/systemd/wazuh-indexer.conf b/distribution/packages/src/common/systemd/wazuh-indexer.conf new file mode 100644 index 0000000000000..c021c7bcbb024 --- /dev/null +++ b/distribution/packages/src/common/systemd/wazuh-indexer.conf @@ -0,0 +1 @@ +d /run/wazuh-indexer 0750 wazuh-indexer wazuh-indexer - - diff --git a/distribution/packages/src/common/systemd/opensearch.service b/distribution/packages/src/common/systemd/wazuh-indexer.service similarity index 70% rename from distribution/packages/src/common/systemd/opensearch.service rename to distribution/packages/src/common/systemd/wazuh-indexer.service index 962dc5d2aae72..d4171152df3ca 100644 --- a/distribution/packages/src/common/systemd/opensearch.service +++ b/distribution/packages/src/common/systemd/wazuh-indexer.service @@ -1,30 +1,31 @@ [Unit] -Description=OpenSearch -Documentation=https://www.elastic.co +Description=wazuh-indexer +Documentation=https://documentation.wazuh.com Wants=network-online.target After=network-online.target [Service] Type=notify -RuntimeDirectory=opensearch +RuntimeDirectory=wazuh-indexer PrivateTmp=true -Environment=OPENSEARCH_HOME=/usr/share/opensearch +Environment=OPENSEARCH_HOME=/usr/share/wazuh-indexer +Environment=OPENSEARCH_TMPDIR=/var/log/wazuh-indexer/tmp Environment=OPENSEARCH_PATH_CONF=${path.conf} -Environment=PID_DIR=/var/run/opensearch +Environment=PID_DIR=/run/wazuh-indexer Environment=OPENSEARCH_SD_NOTIFY=true EnvironmentFile=-${path.env} -WorkingDirectory=/usr/share/opensearch +WorkingDirectory=/usr/share/wazuh-indexer -User=opensearch -Group=opensearch +User=wazuh-indexer +Group=wazuh-indexer -ExecStart=/usr/share/opensearch/bin/systemd-entrypoint -p ${PID_DIR}/opensearch.pid --quiet +ExecStart=/usr/share/wazuh-indexer/bin/systemd-entrypoint -p ${PID_DIR}/wazuh-indexer.pid --quiet # StandardOutput is configured to redirect to journalctl since # some error messages may be logged in standard output before -# opensearch logging system is initialized. OpenSearch -# stores its logs in /var/log/opensearch and does not use +# wazuh-indexer logging system is initialized. Wazuh-indexer +# stores its logs in /var/log/wazuh-indexer and does not use # journalctl by default. If you also want to enable journalctl # logging, you can simply remove the "quiet" option from ExecStart. StandardOutput=journal @@ -58,7 +59,7 @@ SendSIGKILL=no SuccessExitStatus=143 # Allow a slow startup before the systemd notifier module kicks in to extend the timeout -TimeoutStartSec=75 +TimeoutStartSec=180 [Install] WantedBy=multi-user.target diff --git a/distribution/packages/src/common/wazuh-indexer-performance-analyzer.service b/distribution/packages/src/common/wazuh-indexer-performance-analyzer.service new file mode 100644 index 0000000000000..c744071b958b3 --- /dev/null +++ b/distribution/packages/src/common/wazuh-indexer-performance-analyzer.service @@ -0,0 +1,22 @@ +# Copyright OpenSearch Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +[Unit] +Description=OpenSearch Performance Analyzer + +[Service] +Type=simple +ExecStart=/usr/share/wazuh-indexer/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli +Restart=on-failure +User=wazuh-indexer +Group=wazuh-indexer +Environment=OPENSEARCH_HOME=/usr/share/wazuh-indexer +Environment=OPENSEARCH_PATH_CONF=/etc/wazuh-indexer/ +WorkingDirectory=/usr/share/wazuh-indexer + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/distribution/packages/src/deb/Makefile b/distribution/packages/src/deb/Makefile new file mode 100644 index 0000000000000..14e4dbd7efc82 --- /dev/null +++ b/distribution/packages/src/deb/Makefile @@ -0,0 +1,19 @@ +# Copyright OpenSearch Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +# deb opensearch Makefile + +all: install + +install: + ./debmake_install.sh $(CURDIR) + +clean: ; + +distclean: clean + +.PHONY: all clean distclean install \ No newline at end of file diff --git a/distribution/packages/src/deb/debian/control b/distribution/packages/src/deb/debian/control new file mode 100644 index 0000000000000..a30369d6327b1 --- /dev/null +++ b/distribution/packages/src/deb/debian/control @@ -0,0 +1,22 @@ +# Copyright OpenSearch Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +Source: wazuh-indexer +Section: web +Priority: optional +Maintainer: Wazuh, Inc +Build-Depends: debhelper-compat (= 12) +Standards-Version: 4.5.0 +Homepage: https://www.wazuh.com/ + +Package: wazuh-indexer +Architecture: any +Description: Wazuh indexer is a near real-time full-text search and analytics engine that gathers security-related data into one platform. + This Wazuh central component indexes and stores alerts generated by the Wazuh server. + Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability. + Documentation can be found at https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html + diff --git a/distribution/packages/src/deb/debian/copyright b/distribution/packages/src/deb/debian/copyright new file mode 100644 index 0000000000000..e7cb0fc0d0109 --- /dev/null +++ b/distribution/packages/src/deb/debian/copyright @@ -0,0 +1,38 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: wazuh-indexer +Upstream-Contact: info@wazuh.com +Source: https://www.wazuh.com +Files: * +Copyright: OpenSearch Contributors +License: Apache-2.0 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + http://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + On Debian systems, the complete text of the Apache License, Version 2 + can be found in "/usr/share/common-licenses/Apache-2.0". + +Files: debian/* +License: Apache-2.0 + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + . + http://www.apache.org/licenses/LICENSE-2.0 + . + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + . + On Debian systems, the complete text of the Apache License, Version 2 + can be found in "/usr/share/common-licenses/Apache-2.0". diff --git a/distribution/packages/src/deb/debian/postinst b/distribution/packages/src/deb/debian/postinst new file mode 100644 index 0000000000000..c523ffa260091 --- /dev/null +++ b/distribution/packages/src/deb/debian/postinst @@ -0,0 +1,65 @@ +#!/bin/bash + +# Copyright Wazuh Indexer Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# The Wazuh Indexer Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +# deb wazuh-indexer postinst script + +set -e + +echo "Running Wazuh Indexer Post-Installation Script" + +product_dir=/usr/share/wazuh-indexer +config_dir=/etc/wazuh-indexer +data_dir=/var/lib/wazuh-indexer +log_dir=/var/log/wazuh-indexer +pid_dir=/run/wazuh-indexer +tmp_dir=/var/log/wazuh-indexer/tmp +restart_service=/tmp/wazuh-indexer.restart + +# Create needed directories +mkdir -p ${tmp_dir} + +# Set owner +chown -R wazuh-indexer:wazuh-indexer ${product_dir} +chown -R wazuh-indexer:wazuh-indexer ${config_dir} +chown -R wazuh-indexer:wazuh-indexer ${log_dir} +chown -R wazuh-indexer:wazuh-indexer ${data_dir} +chown -R wazuh-indexer:wazuh-indexer ${pid_dir} +chown -R wazuh-indexer:wazuh-indexer ${tmp_dir} + +# Reload systemctl daemon +if command -v systemctl > /dev/null; then + systemctl daemon-reload +fi + +# Reload other configs +if command -v systemctl > /dev/null; then + systemctl restart systemd-sysctl.service || true +fi + +if command -v systemd-tmpfiles > /dev/null; then + systemd-tmpfiles --create wazuh-indexer.conf +fi + +if [ -f $restart_service ]; then + rm -f $restart_service + echo "Restarting wazuh-indexer service..." + if command -v systemctl > /dev/null; then + systemctl restart wazuh-indexer.service > /dev/null 2>&1 + fi + exit 0 +fi + +# Messages +echo "### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd" +echo " sudo systemctl daemon-reload" +echo " sudo systemctl enable wazuh-indexer.service" +echo "### You can start wazuh-indexer service by executing" +echo " sudo systemctl start wazuh-indexer.service" + +exit 0 diff --git a/distribution/packages/src/deb/debian/preinst b/distribution/packages/src/deb/debian/preinst new file mode 100644 index 0000000000000..e36f94b197b5d --- /dev/null +++ b/distribution/packages/src/deb/debian/preinst @@ -0,0 +1,35 @@ +#!/bin/bash + +# Copyright OpenSearch Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +# deb wazuh-indexer preinst script + +set -e + +echo "Running Wazuh Indexer Pre-Installation Script" + +# Reference to restore actual service status +restart_service=/tmp/wazuh-indexer.restart + +# Stop existing service +if command -v systemctl >/dev/null && systemctl is-active wazuh-indexer.service >/dev/null; then + echo "Stop existing wazuh-indexer.service" + systemctl --no-reload stop wazuh-indexer.service + touch $restart_service +fi +if command -v systemctl >/dev/null && systemctl is-active wazuh-indexer-performance-analyzer.service >/dev/null; then + echo "Stop existing wazuh-indexer-performance-analyzer.service" + systemctl --no-reload stop wazuh-indexer-performance-analyzer.service +fi + +# Create user and group if they do not already exist. +getent group wazuh-indexer > /dev/null 2>&1 || groupadd -r wazuh-indexer +getent passwd wazuh-indexer > /dev/null 2>&1 || \ + useradd -r -g wazuh-indexer -M -s /sbin/nologin \ + -c "wazuh-indexer user/group" wazuh-indexer +exit 0 diff --git a/distribution/packages/src/deb/debian/prerm b/distribution/packages/src/deb/debian/prerm new file mode 100644 index 0000000000000..f92bbfcf3b69f --- /dev/null +++ b/distribution/packages/src/deb/debian/prerm @@ -0,0 +1,37 @@ +#!/bin/bash + +# Copyright OpenSearch Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +# deb wazuh-indexer prerm script + +set -e + +case "$1" in + upgrade|deconfigure) + ;; + remove) + echo "Running Wazuh Indexer Pre-Removal Script" + # Stop existing service + if command -v systemctl >/dev/null && systemctl is-active wazuh-indexer.service >/dev/null; then + echo "Stop existing wazuh-indexer.service" + systemctl --no-reload stop wazuh-indexer.service + fi + if command -v systemctl >/dev/null && systemctl is-active wazuh-indexer-performance-analyzer.service >/dev/null; then + echo "Stop existing wazuh-indexer-performance-analyzer.service" + systemctl --no-reload stop wazuh-indexer-performance-analyzer.service + fi + ;; + failed-upgrade) + ;; + *) + echo "prerm called with unknown argument \`$1'" >&2 + exit 0 + ;; +esac + +exit 0 diff --git a/distribution/packages/src/deb/debian/rules b/distribution/packages/src/deb/debian/rules new file mode 100644 index 0000000000000..cff9a800ada88 --- /dev/null +++ b/distribution/packages/src/deb/debian/rules @@ -0,0 +1,32 @@ +#!/usr/bin/make -f + +# Copyright OpenSearch Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +# You must remove unused comment lines for the released package. +#export DH_VERBOSE = 1 +#export DEB_BUILD_MAINT_OPTIONS = hardening=+all +#export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic +#export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed + +SHELL != sh -c "command -v /bin/bash" +.ONESHELL: + +%: + dh $@ + +override_dh_strip_nondeterminism: + echo "Skipping dh_strip_nondeterminism" + +override_dh_fixperms: + echo "Skipping dh_fixperms" + +override_dh_builddeb: + dh_builddeb -- -Zgzip + +override_dh_gencontrol: + dh_gencontrol -- -DLicense=Apache-2.0 diff --git a/distribution/packages/src/deb/debmake_install.sh b/distribution/packages/src/deb/debmake_install.sh new file mode 100644 index 0000000000000..372b49d7da330 --- /dev/null +++ b/distribution/packages/src/deb/debmake_install.sh @@ -0,0 +1,93 @@ +#!/bin/bash + +# Copyright OpenSearch Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +# debmake opensearch install script + +set -ex + +if [ -z "$1" ]; then + echo "Missing curdir path" + exit 1 +fi + +curdir=$1 + +name="wazuh-indexer" + +product_dir="/usr/share/${name}" +config_dir="/etc/${name}" +# data_dir="/var/lib/${name}" +# log_dir="/var/log/${name}" +pid_dir="/run/${name}" +service_dir="/usr/lib/systemd/system" + +buildroot="${curdir}/debian/${name}" + +# Create necessary directories +mkdir -p "${buildroot}" +mkdir -p "${buildroot}${pid_dir}" +mkdir -p "${buildroot}${product_dir}/plugins" + +# Install directories/files +cp -a "${curdir}"/etc "${curdir}"/usr "${curdir}"/var "${buildroot}"/ + +# General permissions for most of the package's files: +find "${buildroot}" -type d -exec chmod 750 {} \; +find "${buildroot}" -type f -exec chmod 640 {} \; + +# Permissions for the Systemd files +systemd_files=() +systemd_files+=("${buildroot}/${service_dir}/${name}.service") +systemd_files+=("${buildroot}/${service_dir}/${name}-performance-analyzer.service") +systemd_files+=("${buildroot}/${service_dir}/${name}-performance-analyzer.service") +systemd_files+=("${buildroot}/etc/init.d/${name}") +systemd_files+=("${buildroot}/usr/lib/sysctl.d/${name}.conf") +systemd_files+=("${buildroot}/usr/lib/tmpfiles.d/${name}.conf") + +for i in "${systemd_files[@]}"; do + chmod -c 0644 "$i" +done + +# Permissions for config files +config_files=() +config_files+=("${buildroot}/${config_dir}/log4j2.properties") +config_files+=("${buildroot}/${config_dir}/jvm.options") +config_files+=("${buildroot}/${config_dir}/opensearch.yml") + +for i in "${config_files[@]}"; do + chmod -c 0660 "$i" +done + +# Plugin-related files +if [ -e "${buildroot}/${config_dir}/opensearch-observability/observability.yml" ]; then + chmod -c 660 "${buildroot}/${config_dir}/opensearch-observability/observability.yml" +fi + +if [ -e "${buildroot}/${config_dir}/wazuh-indexer-reports-scheduler/reports-scheduler.yml" ]; then + chmod -c 660 "${buildroot}/${config_dir}/wazuh-indexer-reports-scheduler/reports-scheduler.yml" +fi + +# Files that need other permissions +chmod -c 440 "${buildroot}${product_dir}/VERSION" +if [ -d "${buildroot}${product_dir}/plugins/opensearch-security" ]; then + chmod -c 0740 "${buildroot}${product_dir}"/plugins/opensearch-security/tools/*.sh +fi + +binary_files=() +binary_files+=("${buildroot}${product_dir}"/bin/*) +binary_files+=("${buildroot}${product_dir}"/jdk/bin/*) +binary_files+=("${buildroot}${product_dir}"/jdk/lib/jspawnhelper) +binary_files+=("${buildroot}${product_dir}"/jdk/lib/modules) +binary_files+=("${buildroot}${product_dir}"/performance-analyzer-rca/bin/*) + +for i in "${binary_files[@]}"; do + chmod -c 750 "$i" +done + +exit 0 diff --git a/distribution/packages/src/deb/init.d/opensearch b/distribution/packages/src/deb/init.d/wazuh-indexer similarity index 79% rename from distribution/packages/src/deb/init.d/opensearch rename to distribution/packages/src/deb/init.d/wazuh-indexer index 681d87df1d356..5843a982adc5e 100755 --- a/distribution/packages/src/deb/init.d/opensearch +++ b/distribution/packages/src/deb/init.d/wazuh-indexer @@ -1,22 +1,22 @@ #!/usr/bin/env bash # -# /etc/init.d/opensearch -- startup script for OpenSearch +# /etc/init.d/wazuh-indexer -- startup script for Wazuh indexer # ### BEGIN INIT INFO -# Provides: opensearch +# Provides: wazuh-indexer # Required-Start: $network $remote_fs $named # Required-Stop: $network $remote_fs $named # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 -# Short-Description: Starts opensearch -# Description: Starts opensearch using start-stop-daemon +# Short-Description: Starts wazuh-indexer +# Description: Starts wazuh-indexer using start-stop-daemon ### END INIT INFO set -e -o pipefail PATH=/bin:/usr/bin:/sbin:/usr/sbin -NAME=opensearch -DESC="OpenSearch Server" +NAME=wazuh-indexer +DESC=$NAME DEFAULT=/etc/default/$NAME if [ `id -u` -ne 0 ]; then @@ -53,7 +53,7 @@ OPENSEARCH_PATH_CONF=/etc/$NAME MAX_MAP_COUNT=262144 # OpenSearch PID file directory -PID_DIR="/var/run/opensearch" +PID_DIR="/var/run/$NAME" # End of variables that can be overwritten in $DEFAULT @@ -73,7 +73,7 @@ export JAVA_HOME export OPENSEARCH_JAVA_HOME if [ ! -x "$DAEMON" ]; then - echo "The opensearch startup script does not exists or it is not executable, tried: $DAEMON" + echo "The wazuh-indexer startup script does not exists or it is not executable, tried: $DAEMON" exit 1 fi @@ -82,7 +82,7 @@ case "$1" in log_daemon_msg "Starting $DESC" - pid=`pidofproc -p $PID_FILE opensearch` + pid=`pidofproc -p $PID_FILE wazuh-indexer` if [ -n "$pid" ] ; then log_begin_msg "Already running." log_end_msg 0 @@ -91,10 +91,10 @@ case "$1" in # Ensure that the PID_DIR exists (it is cleaned at OS startup time) if [ -n "$PID_DIR" ] && [ ! -e "$PID_DIR" ]; then - mkdir -p "$PID_DIR" && chown opensearch:opensearch "$PID_DIR" + mkdir -p "$PID_DIR" && chown wazuh-indexer:wazuh-indexer "$PID_DIR" fi if [ -n "$PID_FILE" ] && [ ! -e "$PID_FILE" ]; then - touch "$PID_FILE" && chown opensearch:opensearch "$PID_FILE" + touch "$PID_FILE" && chown wazuh-indexer:wazuh-indexer "$PID_FILE" fi if [ -n "$MAX_OPEN_FILES" ]; then @@ -110,7 +110,7 @@ case "$1" in fi # Start Daemon - start-stop-daemon -d $OPENSEARCH_HOME --start --user opensearch -c opensearch --pidfile "$PID_FILE" --exec $DAEMON -- $DAEMON_OPTS + start-stop-daemon -d $OPENSEARCH_HOME --start --user wazuh-indexer -c wazuh-indexer --pidfile "$PID_FILE" --exec $DAEMON -- $DAEMON_OPTS return=$? if [ $return -eq 0 ]; then i=0 @@ -134,7 +134,7 @@ case "$1" in if [ -f "$PID_FILE" ]; then start-stop-daemon --stop --pidfile "$PID_FILE" \ - --user opensearch \ + --user wazuh-indexer \ --quiet \ --retry forever/TERM/20 > /dev/null if [ $? -eq 1 ]; then @@ -151,7 +151,7 @@ case "$1" in log_end_msg 0 ;; status) - status_of_proc -p $PID_FILE opensearch opensearch && exit 0 || exit $? + status_of_proc -p $PID_FILE wazuh-indexer wazuh-indexer && exit 0 || exit $? ;; restart|force-reload) if [ -f "$PID_FILE" ]; then diff --git a/distribution/packages/src/deb/lintian/opensearch b/distribution/packages/src/deb/lintian/opensearch deleted file mode 100644 index e6db8e8c6b322..0000000000000 --- a/distribution/packages/src/deb/lintian/opensearch +++ /dev/null @@ -1,46 +0,0 @@ -# we don't have a changelog, but we put our copyright file -# under /usr/share/doc/opensearch, which triggers this warning -changelog-file-missing-in-native-package - -# we intentionally copy our copyright file for all deb packages -copyright-file-contains-full-apache-2-license -copyright-should-refer-to-common-license-file-for-apache-2 -copyright-without-copyright-notice - -# we still put all our files under /usr/share/opensearch even after transition to platform dependent packages -arch-dependent-file-in-usr-share - -# we have a bundled jdk, so don't use jarwrapper -missing-dep-on-jarwrapper - -# we prefer to not make our config and log files world readable -non-standard-file-perm etc/default/opensearch 0660 != 0644 -non-standard-dir-perm etc/opensearch/ 0750 != 0755 -non-standard-dir-perm etc/opensearch/jvm.options.d/ 0750 != 0755 -non-standard-file-perm etc/opensearch/* -non-standard-dir-perm var/lib/opensearch/ 0750 != 0755 -non-standard-dir-perm var/log/opensearch/ 0750 != 0755 -executable-is-not-world-readable etc/init.d/opensearch 0750 -non-standard-file-permissions-for-etc-init.d-script etc/init.d/opensearch 0750 != 0755 - -# this lintian tag is simply wrong; contrary to the explanation, debian systemd -# does actually look at /usr/lib/systemd/system -systemd-service-file-outside-lib usr/lib/systemd/system/opensearch.service - -# we do not automatically enable the service in init.d or systemd -script-in-etc-init.d-not-registered-via-update-rc.d etc/init.d/opensearch - -# the package scripts handle init.d/systemd directly and don't need to use deb helpers -maintainer-script-calls-systemctl -prerm-calls-updaterc.d opensearch - -# bundled JDK -embedded-library -arch-dependent-file-in-usr-share usr/share/opensearch/jdk/* -unstripped-binary-or-object usr/share/opensearch/jdk/* -extra-license-file usr/share/opensearch/jdk/legal/* -hardening-no-pie usr/share/opensearch/jdk/bin/* -hardening-no-pie usr/share/opensearch/jdk/lib/* - -# the system java version that lintian assumes is far behind what opensearch uses -unknown-java-class-version diff --git a/distribution/packages/src/deb/lintian/wazuh-indexer b/distribution/packages/src/deb/lintian/wazuh-indexer new file mode 100644 index 0000000000000..6d98dc7a7b879 --- /dev/null +++ b/distribution/packages/src/deb/lintian/wazuh-indexer @@ -0,0 +1,46 @@ +# we don't have a changelog, but we put our copyright file +# under /usr/share/doc/wazuh-indexer, which triggers this warning +changelog-file-missing-in-native-package + +# we intentionally copy our copyright file for all deb packages +copyright-file-contains-full-apache-2-license +copyright-should-refer-to-common-license-file-for-apache-2 +copyright-without-copyright-notice + +# we still put all our files under /usr/share/wazuh-indexer even after transition to platform dependent packages +arch-dependent-file-in-usr-share + +# we have a bundled jdk, so don't use jarwrapper +missing-dep-on-jarwrapper + +# we prefer to not make our config and log files world readable +non-standard-file-perm etc/default/wazuh-indexer 0660 != 0644 +non-standard-dir-perm etc/wazuh-indexer/ 0750 != 0755 +non-standard-dir-perm etc/wazuh-indexer/jvm.options.d/ 0750 != 0755 +non-standard-file-perm etc/wazuh-indexer/* +non-standard-dir-perm var/lib/wazuh-indexer/ 0750 != 0755 +non-standard-dir-perm var/log/wazuh-indexer/ 0750 != 0755 +executable-is-not-world-readable etc/init.d/wazuh-indexer 0750 +non-standard-file-permissions-for-etc-init.d-script etc/init.d/wazuh-indexer 0750 != 0755 + +# this lintian tag is simply wrong; contrary to the explanation, debian systemd +# does actually look at /usr/lib/systemd/system +systemd-service-file-outside-lib usr/lib/systemd/system/wazuh-indexer.service + +# we do not automatically enable the service in init.d or systemd +script-in-etc-init.d-not-registered-via-update-rc.d etc/init.d/wazuh-indexer + +# the package scripts handle init.d/systemd directly and don't need to use deb helpers +maintainer-script-calls-systemctl +prerm-calls-updaterc.d wazuh-indexer + +# bundled JDK +embedded-library +arch-dependent-file-in-usr-share usr/share/wazuh-indexer/jdk/* +unstripped-binary-or-object usr/share/wazuh-indexer/jdk/* +extra-license-file usr/share/wazuh-indexer/jdk/legal/* +hardening-no-pie usr/share/wazuh-indexer/jdk/bin/* +hardening-no-pie usr/share/wazuh-indexer/jdk/lib/* + +# the system java version that lintian assumes is far behind what wazuh-indexer uses +unknown-java-class-version diff --git a/distribution/packages/src/rpm/init.d/opensearch b/distribution/packages/src/rpm/init.d/wazuh-indexer similarity index 81% rename from distribution/packages/src/rpm/init.d/opensearch rename to distribution/packages/src/rpm/init.d/wazuh-indexer index 0cb9bf65796ad..c29a1068bdf88 100644 --- a/distribution/packages/src/rpm/init.d/opensearch +++ b/distribution/packages/src/rpm/init.d/wazuh-indexer @@ -1,9 +1,9 @@ #!/usr/bin/env bash # -# opensearch +# wazuh-indexer # # chkconfig: 2345 80 20 -# description: Starts and stops a single opensearch instance on this system +# description: Starts and stops a single wazuh-indexer instance on this system # ### BEGIN INIT INFO @@ -12,7 +12,7 @@ # Required-Stop: $network $named # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 -# Short-Description: This service manages the opensearch daemon +# Short-Description: This service manages the wazuh-indexer daemon # Description: OpenSearch is a very scalable, schema-free and high-performance search solution supporting multi-tenancy and near realtime search. ### END INIT INFO @@ -33,13 +33,13 @@ if [ -f /etc/rc.d/init.d/functions ]; then . /etc/rc.d/init.d/functions fi -# Sets the default values for opensearch variables used in this script -OPENSEARCH_HOME="/usr/share/opensearch" +# Sets the default values for wazuh-indexer variables used in this script +OPENSEARCH_HOME="/usr/share/wazuh-indexer" MAX_OPEN_FILES=65535 MAX_MAP_COUNT=262144 OPENSEARCH_PATH_CONF="${path.conf}" -PID_DIR="/var/run/opensearch" +PID_DIR="/run/wazuh-indexer" # Source the default env file OPENSEARCH_ENV_FILE="${path.env}" @@ -48,7 +48,7 @@ if [ -f "$OPENSEARCH_ENV_FILE" ]; then fi exec="$OPENSEARCH_HOME/bin/opensearch" -prog="opensearch" +prog="wazuh-indexer" pidfile="$PID_DIR/${prog}.pid" export OPENSEARCH_JAVA_OPTS @@ -60,7 +60,7 @@ export OPENSEARCH_JAVA_HOME lockfile=/var/lock/subsys/$prog if [ ! -x "$exec" ]; then - echo "The opensearch startup script does not exists or it is not executable, tried: $exec" + echo "The wazuh-indexer startup script does not exists or it is not executable, tried: $exec" exit 1 fi @@ -79,16 +79,16 @@ start() { # Ensure that the PID_DIR exists (it is cleaned at OS startup time) if [ -n "$PID_DIR" ] && [ ! -e "$PID_DIR" ]; then - mkdir -p "$PID_DIR" && chown opensearch:opensearch "$PID_DIR" + mkdir -p "$PID_DIR" && chown wazuh-indexer:wazuh-indexer "$PID_DIR" fi if [ -n "$pidfile" ] && [ ! -e "$pidfile" ]; then - touch "$pidfile" && chown opensearch:opensearch "$pidfile" + touch "$pidfile" && chown wazuh-indexer:wazuh-indexer "$pidfile" fi cd $OPENSEARCH_HOME echo -n $"Starting $prog: " # if not running, start it up here, usually something like "daemon $exec" - daemon --user opensearch --pidfile $pidfile $exec -p $pidfile -d + daemon --user wazuh-indexer --pidfile $pidfile $exec -p $pidfile -d retval=$? echo [ $retval -eq 0 ] && touch $lockfile diff --git a/distribution/packages/src/rpm/wazuh-indexer.cicd.spec b/distribution/packages/src/rpm/wazuh-indexer.cicd.spec new file mode 100644 index 0000000000000..6bb77d059e6b2 --- /dev/null +++ b/distribution/packages/src/rpm/wazuh-indexer.cicd.spec @@ -0,0 +1,755 @@ +# Wazuh package SPEC +# Copyright (C) 2021, Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation. +Summary: Wazuh indexer is a search and analytics engine for security-related data. Documentation can be found at https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html +Name: wazuh-indexer +Version: %{_version} +Release: %{_release} +License: GPL +Group: System Environment/Daemons +Source0: %{name}-%{version}.tar.gz +URL: https://www.wazuh.com/ +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +Vendor: Wazuh, Inc +Packager: Wazuh, Inc +AutoReqProv: no +Requires: coreutils +ExclusiveOS: linux +BuildRequires: tar shadow-utils + +# ----------------------------------------------------------------------------- + +%global USER %{name} +%global GROUP %{name} +%global CONFIG_DIR /etc/%{name} +%global LOG_DIR /var/log/%{name} +%global LIB_DIR /var/lib/%{name} +%global SYS_DIR /usr/lib +%global INSTALL_DIR /usr/share/%{name} +%global REPO_DIR /root/unattended_installer +%global INDEXER_FILE wazuh-indexer-base-%{version}-%{release}-linux-x64.tar.xz + +# ----------------------------------------------------------------------------- + +%description +Wazuh indexer is a near real-time full-text search and analytics engine that gathers security-related data into one platform. This Wazuh central component indexes and stores alerts generated by the Wazuh server. Wazuh indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability. Documentation can be found at https://documentation.wazuh.com/current/getting-started/components/wazuh-indexer.html + +# ----------------------------------------------------------------------------- + +%prep +# Clean BUILDROOT +rm -fr %{buildroot} + +# Create package group +getent group %{GROUP} || groupadd -r %{GROUP} + +# Create package user +if ! id %{USER} &> /dev/null; then + useradd --system \ + --no-create-home \ + --home-dir %{INSTALL_DIR} \ + --gid %{GROUP} \ + --shell /sbin/nologin \ + --comment "%{USER} user" \ + %{USER} +fi + +# ----------------------------------------------------------------------------- + +%install +# Create directories +mkdir -p ${RPM_BUILD_ROOT}%{INSTALL_DIR} +mkdir -p ${RPM_BUILD_ROOT}/etc +mkdir -p ${RPM_BUILD_ROOT}%{LOG_DIR} +mkdir -p ${RPM_BUILD_ROOT}%{LIB_DIR} +mkdir -p ${RPM_BUILD_ROOT}%{SYS_DIR} + +# Set up required files +cp /tmp/%{INDEXER_FILE} ./ + +tar -xf %{INDEXER_FILE} && rm -f %{INDEXER_FILE} +chown -R %{USER}:%{GROUP} wazuh-indexer-*/* + +# Copy base files into RPM_BUILD_ROOT directory +mv wazuh-indexer-*/etc ${RPM_BUILD_ROOT}/ +mv wazuh-indexer-*%{SYS_DIR}/* ${RPM_BUILD_ROOT}%{SYS_DIR}/ +rm -rf wazuh-indexer-*/etc +rm -rf wazuh-indexer-*/usr +cp -pr wazuh-indexer-*/* ${RPM_BUILD_ROOT}%{INSTALL_DIR}/ + +# Build wazuh-certs-tool +%{REPO_DIR}/builder.sh -c + +# Build wazuh-passwords-tool +%{REPO_DIR}/builder.sh -p + +# Copy the security tools +cp %{REPO_DIR}/wazuh-certs-tool.sh ${RPM_BUILD_ROOT}%{INSTALL_DIR}/plugins/opensearch-security/tools/ +cp %{REPO_DIR}/wazuh-passwords-tool.sh ${RPM_BUILD_ROOT}%{INSTALL_DIR}/plugins/opensearch-security/tools/ +cp /root/documentation-templates/wazuh/config.yml ${RPM_BUILD_ROOT}%{INSTALL_DIR}/plugins/opensearch-security/tools/config.yml + +# Copy Wazuh's config files for the security plugin +cp %{REPO_DIR}/config/indexer/roles/action_groups.yml ${RPM_BUILD_ROOT}%{CONFIG_DIR}/opensearch-security +cp %{REPO_DIR}/config/indexer/roles/internal_users.yml ${RPM_BUILD_ROOT}%{CONFIG_DIR}/opensearch-security +cp %{REPO_DIR}/config/indexer/roles/roles.yml ${RPM_BUILD_ROOT}%{CONFIG_DIR}/opensearch-security +cp %{REPO_DIR}/config/indexer/roles/roles_mapping.yml ${RPM_BUILD_ROOT}%{CONFIG_DIR}/opensearch-security + +cp /root/stack/indexer/indexer-security-init.sh ${RPM_BUILD_ROOT}%{INSTALL_DIR}/bin/ + +chmod 750 ${RPM_BUILD_ROOT}/etc/init.d/wazuh-indexer + +# ----------------------------------------------------------------------------- + +%pre +if [ $1 = 1 ];then # Install + # Create package group + getent group %{GROUP} > /dev/null 2>&1 || groupadd -r %{GROUP} + + if ! id %{USER} &> /dev/null; then + useradd --system \ + --no-create-home \ + --home-dir %{INSTALL_DIR} \ + --gid %{GROUP} \ + --shell /sbin/nologin \ + --comment "%{USER} user" \ + %{USER} > /dev/null 2>&1 + fi +fi + +# Stop the services to upgrade the package +if [ $1 = 2 ]; then + if command -v systemctl > /dev/null 2>&1 && systemctl > /dev/null 2>&1 && systemctl is-active --quiet %{name} > /dev/null 2>&1; then + systemctl stop %{name}.service > /dev/null 2>&1 + touch %{INSTALL_DIR}/%{name}.restart + # Check for SysV + elif command -v service > /dev/null 2>&1 && service %{name} status 2>/dev/null | grep "is running" > /dev/null 2>&1; then + service %{name} stop > /dev/null 2>&1 + touch %{INSTALL_DIR}/%{name}.restart + elif [ -x /etc/init.d/%{name} ]; then + if command -v invoke-rc.d >/dev/null && invoke-rc.d --quiet wazuh-indexer status > /dev/null 2>&1; then + invoke-rc.d %{name} stop > /dev/null 2>&1 + touch %{INSTALL_DIR}/%{name}.restart + fi + + # Older Suse linux distributions do not ship with systemd + # but do not have an /etc/init.d/ directory + # this tries to stop the %{name} service on these + # as well without failing this script + elif [ -x /etc/rc.d/init.d/%{name} ] ; then + /etc/rc.d/init.d/%{name} stop > /dev/null 2>&1 + touch %{INSTALL_DIR}/%{name}.restart + fi +fi + +# ----------------------------------------------------------------------------- + +%post + +export OPENSEARCH_PATH_CONF=${OPENSEARCH_PATH_CONF:-%{CONFIG_DIR}} + +if [ $1 = 1 ];then # Install + echo "%{USER} hard nproc 4096" >> /etc/security/limits.conf + echo "%{USER} soft nproc 4096" >> /etc/security/limits.conf + echo "%{USER} hard nofile 65535" >> /etc/security/limits.conf + echo "%{USER} soft nofile 65535" >> /etc/security/limits.conf + + # To pick up /usr/lib/sysctl.d/wazuh-indexer.conf + if command -v systemctl > /dev/null 2>&1; then + systemctl restart systemd-sysctl > /dev/null 2>&1 || true + fi + +fi + + +if [[ -d /run/systemd/system ]] ; then + rm -f /etc/init.d/%{name} +fi + +# If is an upgrade, move the securityconfig files if they exist (4.3.x versions) +if [ ${1} = 2 ]; then + if [ -d "%{INSTALL_DIR}"/plugins/opensearch-security/securityconfig ]; then + + if [ ! -d "%{CONFIG_DIR}"/opensearch-security ]; then + mkdir "%{CONFIG_DIR}"/opensearch-security + fi + + cp -r "%{INSTALL_DIR}"/plugins/opensearch-security/securityconfig/* "%{CONFIG_DIR}"/opensearch-security + fi +fi + +# If is an upgrade, move the securityconfig files if they exist (4.3.x versions) +if [ ${1} = 2 ]; then + if [ -d "%{INSTALL_DIR}"/plugins/opensearch-security/securityconfig ]; then + + if [ ! -d "%{CONFIG_DIR}"/opensearch-security ]; then + mkdir "%{CONFIG_DIR}"/opensearch-security + fi + + cp -r "%{INSTALL_DIR}"/plugins/opensearch-security/securityconfig/* "%{CONFIG_DIR}"/opensearch-security + fi +fi + +# ----------------------------------------------------------------------------- + +%preun + +export OPENSEARCH_PATH_CONF=${OPENSEARCH_PATH_CONF:-%{CONFIG_DIR}} + +if [ $1 = 0 ];then # Remove + echo -n "Stopping wazuh-indexer service..." + if command -v systemctl > /dev/null 2>&1 && systemctl is-active --quiet %{name} > /dev/null 2>&1; then + systemctl --no-reload stop %{name}.service > /dev/null 2>&1 + + # Check for SysV + elif command -v service > /dev/null 2>&1; then + service %{name} stop > /dev/null 2>&1 + elif [ -x /etc/init.d/%{name} ]; then + if command -v invoke-rc.d >/dev/null; then + invoke-rc.d %{name} stop > /dev/null 2>&1 + else + /etc/init.d/%{name} stop > /dev/null 2>&1 + fi + elif [ -x /etc/rc.d/init.d/%{name} ] ; then + /etc/rc.d/init.d/%{name} stop > /dev/null 2>&1 + else # Anything else + kill -15 `pgrep -f opensearch` > /dev/null 2>&1 + fi + echo " OK" + + # Check for systemd + if command -v systemctl > /dev/null 2>&1 && systemctl > /dev/null 2>&1; then + systemctl disable %{name} > /dev/null 2>&1 + systemctl daemon-reload > /dev/null 2>&1 + # Check for SysV + elif command -v service > /dev/null 2>&1 && command -v chkconfig > /dev/null 2>&1; then + chkconfig %{name} off > /dev/null 2>&1 + chkconfig --del %{name} > /dev/null 2>&1 + fi +fi + +# ----------------------------------------------------------------------------- + +%postun + +export OPENSEARCH_PATH_CONF=${OPENSEARCH_PATH_CONF:-%{CONFIG_DIR}} + +if [ $1 = 0 ];then + # Cleaning limits file + sed -i '/%{USER}/d' /etc/security/limits.conf + + # Remove the user if it exists + if getent passwd %{USER} > /dev/null 2>&1; then + userdel %{USER} >/dev/null 2>&1 + fi + + # Remove the group if it exists + if command -v getent > /dev/null 2>&1 && getent group %{GROUP} > /dev/null 2>&1; then + groupdel %{GROUP} >/dev/null 2>&1 + elif getent group %{GROUP} > /dev/null 2>&1; then + groupdel %{GROUP} >/dev/null 2>&1 + fi + + # Remove lingering folders and files + if [ -d /dev/shm/performanceanalyzer ]; then + rm -rf /dev/shm/performanceanalyzer + fi + rm -rf %{INSTALL_DIR} +fi + +# ----------------------------------------------------------------------------- + +%posttrans + +export OPENSEARCH_PATH_CONF=${OPENSEARCH_PATH_CONF:-%{CONFIG_DIR}} + +if [ -f %{INSTALL_DIR}/%{name}.restart ]; then + echo -n "Starting wazuh-indexer service..." + rm -f %{INSTALL_DIR}/%{name}.restart + if command -v systemctl > /dev/null 2>&1; then + systemctl daemon-reload > /dev/null 2>&1 + systemctl restart %{name}.service > /dev/null 2>&1 + + # Check for SysV + elif command -v service > /dev/null 2>&1; then + service %{name} restart > /dev/null 2>&1 + elif [ -x /etc/init.d/%{name} ]; then + if command -v invoke-rc.d >/dev/null; then + invoke-rc.d %{name} restart > /dev/null 2>&1 + else + /etc/init.d/%{name} restart > /dev/null 2>&1 + fi + elif [ -x /etc/rc.d/init.d/%{name} ] ; then + /etc/rc.d/init.d/%{name} restart > /dev/null 2>&1 + fi + echo " OK" +fi + +if [ ! -f "%{CONFIG_DIR}"/opensearch.keystore ]; then + "%{INSTALL_DIR}"/bin/opensearch-keystore create + chown %{USER}:%{GROUP} "%{CONFIG_DIR}"/opensearch.keystore + chmod 660 "%{CONFIG_DIR}"/opensearch.keystore + md5sum "%{CONFIG_DIR}"/opensearch.keystore > "%{CONFIG_DIR}"/.opensearch.keystore.initial_md5sum + chown %{USER}:%{GROUP} "%{CONFIG_DIR}"/.opensearch.keystore.initial_md5sum + chmod 600 "%{CONFIG_DIR}"/.opensearch.keystore.initial_md5sum +else + chown %{USER}:%{GROUP} "%{CONFIG_DIR}"/opensearch.keystore + chmod 660 "%{CONFIG_DIR}"/opensearch.keystore + if "%{INSTALL_DIR}"/bin/opensearch-keystore has-passwd --silent ; then + echo "### Warning: unable to upgrade encrypted keystore" 1>&2 + echo " Please run opensearch-keystore upgrade and enter password" 1>&2 + else + "%{INSTALL_DIR}"/bin/opensearch-keystore upgrade + fi +fi + +# ----------------------------------------------------------------------------- + +%clean +rm -fr %{buildroot} + +# ----------------------------------------------------------------------------- + +%files +%defattr(-, %{USER}, %{GROUP}) +%dir %attr(750, %{USER}, %{GROUP}) %{CONFIG_DIR} +%dir %attr(750, %{USER}, %{GROUP}) %{LIB_DIR} +%dir %attr(750, %{USER}, %{GROUP}) %{LOG_DIR} + +%config(noreplace) %attr(0660, root, %{GROUP}) "/etc/sysconfig/%{name}" + +%config(missingok) /etc/init.d/%{name} +%attr(0640, root, root) %{SYS_DIR}/sysctl.d/%{name}.conf +%attr(0640, root, root) %{SYS_DIR}/systemd/system/%{name}.service +%attr(0640, root, root) %{SYS_DIR}/systemd/system/%{name}-performance-analyzer.service +%attr(0640, root, root) %{SYS_DIR}/tmpfiles.d/%{name}.conf + + +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/*.txt +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-job-scheduler/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-job-scheduler/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-job-scheduler/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-ml/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-ml/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-ml/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-ml/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/*.jar +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/tools/ +%attr(740, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/tools/*.sh +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/tools/*.md +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/tools/*.yml +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-index-management/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-index-management/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-index-management/*.txt +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-index-management/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-index-management/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-neural-search/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-neural-search/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-neural-search/*.txt +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-neural-search/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-neural-search/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-notifications/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-notifications/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-notifications/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-notifications/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-asynchronous-search/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-asynchronous-search/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-asynchronous-search/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-asynchronous-search/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-alerting/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-alerting/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-alerting/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-alerting/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-sql/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-sql/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-sql/*.txt +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-sql/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-sql/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-geospatial/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-geospatial/*.txt +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-geospatial/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-geospatial/*.properties +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-geospatial/*.policy +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-reports-scheduler/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-reports-scheduler/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-reports-scheduler/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-reports-scheduler/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-cross-cluster-replication/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-cross-cluster-replication/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-cross-cluster-replication/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-custom-codecs/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-custom-codecs/*.txt +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-custom-codecs/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-custom-codecs/*.properties +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-custom-codecs/*.policy +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-knn/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-knn/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-knn/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-knn/*.properties +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-knn/*.txt +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-knn/lib/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-knn/lib/*.so.1 +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-knn/lib/*.so +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-anomaly-detection/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-anomaly-detection/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-anomaly-detection/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-anomaly-detection/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-notifications-core/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-notifications-core/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-notifications-core/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-notifications-core/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security-analytics/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security-analytics/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security-analytics/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security-analytics/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-observability/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-observability/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-observability/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-observability/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-performance-analyzer/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-performance-analyzer/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-performance-analyzer/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-performance-analyzer/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-common/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-common/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-common/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/repository-url/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/repository-url/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/repository-url/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/repository-url/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/percolator/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/percolator/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/percolator/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/search-pipeline-common/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/search-pipeline-common/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/search-pipeline-common/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/opensearch-dashboards/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/opensearch-dashboards/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/opensearch-dashboards/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-painless/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-painless/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-painless/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-painless/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/analysis-common/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/analysis-common/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/analysis-common/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/rank-eval/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/rank-eval/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/rank-eval/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/aggs-matrix-stats/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/aggs-matrix-stats/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/aggs-matrix-stats/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/geo/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/geo/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/geo/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/mapper-extras/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/mapper-extras/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/mapper-extras/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-user-agent/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-user-agent/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-user-agent/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/systemd/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/systemd/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/systemd/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/systemd/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/transport-netty4/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/transport-netty4/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/transport-netty4/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/transport-netty4/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/parent-join/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/parent-join/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/parent-join/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-mustache/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-mustache/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-mustache/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-mustache/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-geoip/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-geoip/*.mmdb +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-geoip/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-geoip/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/ingest-geoip/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/reindex/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/reindex/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/reindex/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/reindex/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/reindex/transport-netty4/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/reindex/transport-netty4/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/reindex/transport-netty4/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/reindex/parent-join/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/reindex/parent-join/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-expression/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-expression/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-expression/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/modules/lang-expression/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/lib/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/lib/tools/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/lib/tools/upgrade-cli/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/lib/tools/upgrade-cli/*.jar +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/lib/tools/plugin-cli/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/lib/tools/plugin-cli/*.jar +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/lib/tools/keystore-cli/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/lib/tools/keystore-cli/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/lib/*.jar +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/man/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/man/man1/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/man/man1/*.1 +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/jmods/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/jmods/*.jmod +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/NOTICE +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/include/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/include/*.h +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/include/linux/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/include/linux/*.h +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/*.cfg +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/*.so +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/jspawnhelper +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/*.properties.ja +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/*.dat +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/*.properties +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/*.sym +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/classlist +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/*.jar +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/jexec +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/security/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/security/*.certs +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/security/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/security/cacerts +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/security/*.dat +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/modules +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/server/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/server/*.so +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/server/*.jsa +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/jfr/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/lib/jfr/*.jfc +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/bin/ +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/bin/* +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/release +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.instrument/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.net/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.crypto.cryptoki/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.crypto.cryptoki/*.md +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.security.auth/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.smartcardio/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.smartcardio/*.md +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.zipfs/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.localedata/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.localedata/*.md +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.prefs/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.dynalink/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.dynalink/*.md +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jpackage/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.management/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.internal.jvmstat/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.xml.crypto/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.xml.crypto/*.md +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.net.http/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.unsupported/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.datatransfer/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jdi/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.incubator.vector/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.charsets/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.management.jfr/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.accessibility/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jartool/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.security.sasl/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.internal.ed/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.editpad/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.httpserver/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.base/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.base/*.md +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.base/ASSEMBLY_EXCEPTION +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.base/ADDITIONAL_LICENSE_INFO +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.base/LICENSE +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jcmd/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.internal.opt/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.internal.opt/*.md +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.scripting/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.xml/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.xml/*.md +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jdeps/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jstatd/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.management.agent/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.random/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.sctp/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.sql/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.nio.mapmode/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.hotspot.agent/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.attach/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.naming/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.management/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.sql.rowset/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.rmi/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.internal.vm.compiler/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.unsupported.desktop/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.logging/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.security.jgss/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.internal.vm.compiler.management/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jfr/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.transaction.xa/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.crypto.ec/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.internal.vm.ci/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.naming.rmi/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.xml.dom/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.internal.le/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.internal.le/*.md +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jsobject/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jdwp.agent/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.se/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.compiler/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.incubator.foreign/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jshell/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.javadoc/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.javadoc/*.md +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.compiler/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.security.jgss/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jconsole/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.naming.dns/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.management.rmi/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.desktop/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/java.desktop/*.md +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/legal/jdk.jlink/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/security/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/security/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/security/*.security +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/security/policy/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/security/policy/limited/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/security/policy/limited/*.policy +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/security/policy/unlimited/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/security/policy/unlimited/*.policy +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/security/policy/*.txt +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/sdp/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/sdp/*.template +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/management/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/management/*.access +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/management/*.properties +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/jdk/conf/management/*.template +%dir %attr(750, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-security/ +%config(noreplace) %attr(640, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-security/*.yml +%config(noreplace) %attr(640, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-security/*.example +%dir %attr(750, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-notifications/ +%attr(640, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-notifications/*.yml +%config(noreplace) %attr(660, %{USER}, %{GROUP}) %{CONFIG_DIR}/jvm.options +%dir %attr(750, %{USER}, %{GROUP}) %{CONFIG_DIR}/jvm.options.d/ +%dir %attr(750, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-reports-scheduler/ +%attr(660, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-reports-scheduler/*.yml +%config(noreplace) %attr(660, %{USER}, %{GROUP}) %{CONFIG_DIR}/*.properties +%dir %attr(750, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-notifications-core/ +%attr(640, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-notifications-core/*.yml +%config(noreplace) %attr(660, %{USER}, %{GROUP}) %{CONFIG_DIR}/*.yml +%dir %attr(750, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-observability/ +%attr(660, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-observability/*.yml +%dir %attr(750, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-performance-analyzer/ +%attr(640, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-performance-analyzer/agent-stats-metadata +%attr(640, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-performance-analyzer/*.conf +%attr(640, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-performance-analyzer/*.xml +%attr(640, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-performance-analyzer/*.properties +%attr(640, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-performance-analyzer/plugin-stats-metadata +%attr(640, %{USER}, %{GROUP}) %{CONFIG_DIR}/opensearch-performance-analyzer/*.policy +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/ +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/config/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/config/agent-stats-metadata +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/config/*.conf +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/config/*.xml +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/config/*.properties +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/config/plugin-stats-metadata +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/config/*.policy +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/lib/ +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/lib/*.jar +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/bin/ +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/bin/performance-analyzer-agent +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/performance-analyzer-rca/bin/performance-analyzer-rca +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/ +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-cli +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/systemd-entrypoint +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-upgrade +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-shard +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-plugin +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-node +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-env +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-env-from-file +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/indexer-security-init.sh +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-keystore +%dir %attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-performance-analyzer/ +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/opensearch-performance-analyzer/performance-analyzer-agent +%attr(440, %{USER}, %{GROUP}) %{INSTALL_DIR}/VERSION +%attr(750, %{USER}, %{GROUP}) %{INSTALL_DIR}/bin/indexer-security-init.sh +%attr(640, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/tools/config.yml +%attr(740, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/tools/wazuh-certs-tool.sh +%attr(740, %{USER}, %{GROUP}) %{INSTALL_DIR}/plugins/opensearch-security/tools/wazuh-passwords-tool.sh + + +%changelog +* Thu Aug 15 2024 support - 4.9.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-9-1.html +* Thu Aug 15 2024 support - 4.9.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-9-0.html +* Tue Jan 30 2024 support - 4.8.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-8-1.html +* Fri Dec 15 2023 support - 4.8.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-8-0.html +* Tue Dec 05 2023 support - 4.7.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-7-1.html +* Tue Nov 21 2023 support - 4.7.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-7-0.html +* Tue Oct 31 2023 support - 4.6.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-6-0.html +* Tue Oct 24 2023 support - 4.5.4 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-5-4.html +* Tue Oct 10 2023 support - 4.5.3 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-5-3.html +* Thu Aug 31 2023 support - 4.5.2 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-5-2.html +* Thu Aug 24 2023 support - 4.5.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-5.1.html +* Thu Aug 10 2023 support - 4.5.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-5-0.html +* Mon Jul 10 2023 support - 4.4.5 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-5.html +* Tue Jun 13 2023 support - 4.4.4 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-4.html +* Thu May 25 2023 support - 4.4.3 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-3.html +* Mon May 08 2023 support - 4.4.2 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-2.html +* Mon Apr 17 2023 support - 4.4.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-1.html +* Wed Jan 18 2023 support - 4.4.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-0.html +* Thu Nov 10 2022 support - 4.3.10 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-10.html +* Mon Oct 03 2022 support - 4.3.9 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-9.html +* Mon Sep 19 2022 support - 4.3.8 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-8.html +* Mon Aug 08 2022 support - 4.3.7 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-7.html +* Thu Jul 07 2022 support - 4.3.6 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-6.html +* Wed Jun 29 2022 support - 4.3.5 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-5.html +* Tue Jun 07 2022 support - 4.3.4 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-4.html +* Tue May 31 2022 support - 4.3.3 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-3.html +* Mon May 30 2022 support - 4.3.2 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-2.html +* Wed May 18 2022 support - 4.3.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-1.html +* Thu May 05 2022 support - 4.3.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-0.html diff --git a/distribution/packages/src/rpm/wazuh-indexer.rpm.spec b/distribution/packages/src/rpm/wazuh-indexer.rpm.spec new file mode 100644 index 0000000000000..e9420754c1136 --- /dev/null +++ b/distribution/packages/src/rpm/wazuh-indexer.rpm.spec @@ -0,0 +1,347 @@ +# Copyright OpenSearch Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +# No build, no debuginfo +%define debug_package %{nil} + +# Disable brp-java-repack-jars, so jars will not be decompressed and repackaged +%define __jar_repack 0 + +# Generate digests, 8 means algorithm of sha256 +# This is different from rpm sig algorithm +# Requires rpm version 4.12 + to generate but b/c run on older versions +%define _source_filedigest_algorithm 8 +%define _binary_filedigest_algorithm 8 + +# Fixed in Fedora: +# https://www.endpointdev.com/blog/2011/10/rpm-building-fedoras-sharedstatedir/ +%define _sharedstatedir /var/lib + +# User Define Variables +%define product_dir %{_datadir}/%{name} +%define config_dir %{_sysconfdir}/%{name} +%define data_dir %{_sharedstatedir}/%{name} +%define log_dir %{_localstatedir}/log/%{name} +%define pid_dir %{_localstatedir}/run/%{name} +%define tmp_dir %{log_dir}/tmp +%{!?_version: %define _version 0.0.0 } +%{!?_architecture: %define _architecture x86_64 } + +Name: wazuh-indexer +Version: %{_version} +Release: %{_release} +License: Apache-2.0 +Summary: An open source distributed and RESTful search engine +URL: https://www.wazuh.com/ +Vendor: Wazuh, Inc +Packager: Wazuh, Inc +Group: Application/Internet +ExclusiveArch: %{_architecture} +AutoReqProv: no + +%description +Wazuh indexer is a near real-time full-text search and analytics engine that +gathers security-related data into one platform. This Wazuh central component +indexes and stores alerts generated by the Wazuh server. Wazuh indexer can be +configured as a single-node or multi-node cluster, providing scalability and +high availability. +For more information, see: https://www.wazuh.com/ + +%prep +# No-op. We are using dir so no need to setup. + +%build + +%define observability_plugin %( if [ -f %{_topdir}/etc/wazuh-indexer/opensearch-observability/observability.yml ]; then echo "1" ; else echo "0"; fi ) +%define reportsscheduler_plugin %( if [ -f %{_topdir}/etc/wazuh-indexer/wazuh-indexer-reports-scheduler/reports-scheduler.yml ]; then echo "1" ; else echo "0"; fi ) + +%install +set -e +cd %{_topdir} && pwd + +# Create necessary directories +mkdir -p %{buildroot}%{pid_dir} +mkdir -p %{buildroot}%{product_dir}/plugins +mkdir -p %{buildroot}%{tmp_dir} + +# Install directories/files +cp -a etc usr var %{buildroot} +chmod 0755 %{buildroot}%{product_dir}/bin/* +if [ -d %{buildroot}%{product_dir}/plugins/opensearch-security ]; then + chmod 0755 %{buildroot}%{product_dir}/plugins/opensearch-security/tools/* +fi + +# Pre-populate the folders to ensure rpm build success even without all plugins +mkdir -p %{buildroot}%{config_dir}/opensearch-observability +mkdir -p %{buildroot}%{config_dir}/wazuh-indexer-reports-scheduler +mkdir -p %{buildroot}%{product_dir}/performance-analyzer-rca + +# Pre-populate PA configs if not present +if [ ! -f %{buildroot}%{data_dir}/rca_enabled.conf ]; then + echo 'true' > %{buildroot}%{data_dir}/rca_enabled.conf +fi +if [ ! -f %{buildroot}%{data_dir}/performance_analyzer_enabled.conf ]; then + echo 'true' > %{buildroot}%{data_dir}/performance_analyzer_enabled.conf +fi + +# Build a filelist to be included in the %files section +echo '%defattr(640, %{name}, %{name}, 750)' > filelist.txt +find %{buildroot} -type d >> filelist.txt +sed -i 's|%{buildroot}|%%dir |' filelist.txt +find %{buildroot} -type f >> filelist.txt +sed -i 's|%{buildroot}||' filelist.txt + +# The %install section gets executed under a dash shell, +# which doesn't have array structures. +# Below, we are building a list of directories +# which will later be excluded from filelist.txt +set -- "%%dir %{_sysconfdir}" +set -- "$@" "%%dir %{_sysconfdir}/sysconfig" +set -- "$@" "%%dir %{_sysconfdir}/init.d" +set -- "$@" "%%dir /usr" +set -- "$@" "%%dir /usr/lib" +set -- "$@" "%%dir /usr/lib/systemd/system" +set -- "$@" "%%dir /usr/lib/tmpfiles.d" +set -- "$@" "%%dir /usr/share" +set -- "$@" "%%dir /var" +set -- "$@" "%%dir /var/run" +set -- "$@" "%%dir /var/run/%{name}" +set -- "$@" "%%dir /run" +set -- "$@" "%%dir /var/lib" +set -- "$@" "%%dir /var/log" +set -- "$@" "%%dir /usr/lib/sysctl.d" +set -- "$@" "%%dir /usr/lib/systemd" +set -- "$@" "%{_sysconfdir}/sysconfig/%{name}" +set -- "$@" "%{config_dir}/log4j2.properties" +set -- "$@" "%{config_dir}/jvm.options" +set -- "$@" "%{config_dir}/opensearch.yml" +set -- "$@" "%{product_dir}/VERSION" +set -- "$@" "%{product_dir}/plugins/opensearch-security/tools/.*\.sh" +set -- "$@" "%{product_dir}/bin/.*" +set -- "$@" "%{product_dir}/jdk/bin/.*" +set -- "$@" "%{product_dir}/jdk/lib/jspawnhelper" +set -- "$@" "%{product_dir}/jdk/lib/modules" +set -- "$@" "%{product_dir}/performance-analyzer-rca/bin/.*" +set -- "$@" "%{product_dir}/NOTICE.txt" +set -- "$@" "%{product_dir}/README.md" +set -- "$@" "%{product_dir}/LICENSE.txt" +set -- "$@" "%{_prefix}/lib/systemd/system/%{name}.service" +set -- "$@" "%{_prefix}/lib/systemd/system/%{name}-performance-analyzer.service" +set -- "$@" "%{_sysconfdir}/init.d/%{name}" +set -- "$@" "%{_sysconfdir}/sysconfig/%{name}" +set -- "$@" "%{_prefix}/lib/sysctl.d/%{name}.conf" +set -- "$@" "%{_prefix}/lib/tmpfiles.d/%{name}.conf" +set -- "$@" "%%dir %{product_dir}/bin/opensearch-performance-analyzer" + +# Check if we are including the observability and reports scheduler +# plugins +if [ %observability_plugin -eq 1 ]; then + set -- "$@" "%{config_dir}/opensearch-observability/observability.yml" +fi + +if [ %reportsscheduler_plugin -eq 1 ]; then + set -- "$@" "%{config_dir}/wazuh-indexer-reports-scheduler/reports-scheduler.yml" +fi + +for i in "$@" +do + sed -ri "\|^$i$|d" filelist.txt +done + +# Change Permissions +chmod -Rf a+rX,u+w,g-w,o-w %{buildroot}/* +exit 0 + +%pre +set -e +# Stop existing service +if command -v systemctl >/dev/null && systemctl is-active %{name}.service >/dev/null; then + echo "Stop existing %{name}.service" + systemctl --no-reload stop %{name}.service + touch %{tmp_dir}/wazuh-indexer.restart +fi +if command -v systemctl >/dev/null && systemctl is-active %{name}-performance-analyzer.service >/dev/null; then + echo "Stop existing %{name}-performance-analyzer.service" + systemctl --no-reload stop %{name}-performance-analyzer.service +fi +# Create user and group if they do not already exist. +getent group %{name} > /dev/null 2>&1 || groupadd -r %{name} +getent passwd %{name} > /dev/null 2>&1 || \ + useradd -r -g %{name} -M -s /sbin/nologin \ + -c "%{name} user/group" %{name} +exit 0 + +%post +set -e +chown -R %{name}:%{name} %{config_dir} +chown -R %{name}:%{name} %{log_dir} + +# Apply PerformanceAnalyzer Settings +chmod a+rw /tmp +if ! grep -q '## OpenSearch Performance Analyzer' %{config_dir}/jvm.options; then + # Add Performance Analyzer settings in %{config_dir}/jvm.options + CLK_TCK=`/usr/bin/getconf CLK_TCK` + echo >> %{config_dir}/jvm.options + echo '## OpenSearch Performance Analyzer' >> %{config_dir}/jvm.options + echo "-Dclk.tck=$CLK_TCK" >> %{config_dir}/jvm.options + echo "-Djdk.attach.allowAttachSelf=true" >> %{config_dir}/jvm.options + echo "-Djava.security.policy=file://%{config_dir}/opensearch-performance-analyzer/opensearch_security.policy" >> %{config_dir}/jvm.options + echo "--add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED" >> %{config_dir}/jvm.options +fi +# Reload systemctl daemon +if command -v systemctl > /dev/null; then + systemctl daemon-reload +fi +# Reload other configs +if command -v systemctl > /dev/null; then + systemctl restart systemd-sysctl.service || true +fi + +if command -v systemd-tmpfiles > /dev/null; then + systemd-tmpfiles --create %{name}.conf +fi + +if [ -f %{tmp_dir}/wazuh-indexer.restart ]; then + rm -f %{tmp_dir}/wazuh-indexer.restart + if command -v systemctl > /dev/null; then + echo "Restarting wazuh-indexer service..." + systemctl restart wazuh-indexer.service > /dev/null 2>&1 + exit 0 + fi +fi + +# Messages +echo "### NOT starting on installation, please execute the following statements to configure wazuh-indexer service to start automatically using systemd" +echo " sudo systemctl daemon-reload" +echo " sudo systemctl enable wazuh-indexer.service" +echo "### You can start wazuh-indexer service by executing" +echo " sudo systemctl start wazuh-indexer.service" +exit 0 + +%preun +set -e +if command -v systemctl >/dev/null && systemctl is-active %{name}.service >/dev/null; then + echo "Stop existing %{name}.service" + systemctl --no-reload stop %{name}.service +fi +if command -v systemctl >/dev/null && systemctl is-active %{name}-performance-analyzer.service >/dev/null; then + echo "Stop existing %{name}-performance-analyzer.service" + systemctl --no-reload stop %{name}-performance-analyzer.service +fi +exit 0 + +%files -f %{_topdir}/filelist.txt +%defattr(640, %{name}, %{name}, 750) + +%doc %{product_dir}/NOTICE.txt +%doc %{product_dir}/README.md +%license %{product_dir}/LICENSE.txt + +# Service files +%attr(0644, root, root) %{_prefix}/lib/systemd/system/%{name}.service +%attr(0644, root, root) %{_prefix}/lib/systemd/system/%{name}-performance-analyzer.service +%attr(0750, root, root) %{_sysconfdir}/init.d/%{name} +%attr(0644, root, root) %config(noreplace) %{_prefix}/lib/sysctl.d/%{name}.conf +%attr(0644, root, root) %config(noreplace) %{_prefix}/lib/tmpfiles.d/%{name}.conf + + +# Configuration files +%config(noreplace) %attr(0660, root, %{name}) "%{_sysconfdir}/sysconfig/%{name}" +%config(noreplace) %attr(660, %{name}, %{name}) %{config_dir}/log4j2.properties +%config(noreplace) %attr(660, %{name}, %{name}) %{config_dir}/jvm.options +%config(noreplace) %attr(660, %{name}, %{name}) %{config_dir}/opensearch.yml +%config(noreplace) %attr(640, %{name}, %{name}) %{config_dir}/opensearch-security/* + + +%if %observability_plugin +%config(noreplace) %attr(660, %{name}, %{name}) %{config_dir}/opensearch-observability/observability.yml +%endif + +%if %reportsscheduler_plugin +%config(noreplace) %attr(660, %{name}, %{name}) %{config_dir}/wazuh-indexer-reports-scheduler/reports-scheduler.yml +%endif + + +# Files that need other permissions +%attr(440, %{name}, %{name}) %{product_dir}/VERSION +%attr(740, %{name}, %{name}) %{product_dir}/plugins/opensearch-security/tools/*.sh +%attr(750, %{name}, %{name}) %{product_dir}/bin/* +%attr(750, %{name}, %{name}) %{product_dir}/jdk/bin/* +%attr(750, %{name}, %{name}) %{product_dir}/jdk/lib/jspawnhelper +%attr(750, %{name}, %{name}) %{product_dir}/jdk/lib/modules +%attr(750, %{name}, %{name}) %{product_dir}/performance-analyzer-rca/bin/* + +%changelog +* Mon Jun 23 2025 support - 5.0.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-5.0.0-0.html +* Tue Feb 20 2025 support - 4.10.2 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-10-2.html +* Tue Jan 28 2025 support - 4.10.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-10-1.html +* Thu Nov 28 2024 support - 4.10.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-10-0.html +* Mon Nov 04 2024 support - 4.9.2 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-9-2.html +* Tue Oct 15 2024 support - 4.9.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-9-1.html +* Thu Aug 15 2024 support - 4.9.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-9-0.html +* Tue Jan 30 2024 support - 4.8.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-8-1.html +* Fri Dec 15 2023 support - 4.8.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-8-0.html +* Tue Dec 05 2023 support - 4.7.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-7-1.html +* Tue Nov 21 2023 support - 4.7.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-7-0.html +* Tue Oct 31 2023 support - 4.6.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-6-0.html +* Tue Oct 24 2023 support - 4.5.4 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-5-4.html +* Tue Oct 10 2023 support - 4.5.3 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-5-3.html +* Thu Aug 31 2023 support - 4.5.2 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-5-2.html +* Thu Aug 24 2023 support - 4.5.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-5.1.html +* Thu Aug 10 2023 support - 4.5.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-5-0.html +* Mon Jul 10 2023 support - 4.4.5 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-5.html +* Tue Jun 13 2023 support - 4.4.4 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-4.html +* Thu May 25 2023 support - 4.4.3 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-3.html +* Mon May 08 2023 support - 4.4.2 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-2.html +* Mon Apr 17 2023 support - 4.4.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-1.html +* Wed Jan 18 2023 support - 4.4.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-4-0.html +* Thu Nov 10 2022 support - 4.3.10 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-10.html +* Mon Oct 03 2022 support - 4.3.9 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-9.html +* Mon Sep 19 2022 support - 4.3.8 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-8.html +* Mon Aug 08 2022 support - 4.3.7 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-7.html +* Thu Jul 07 2022 support - 4.3.6 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-6.html +* Wed Jun 29 2022 support - 4.3.5 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-5.html +* Tue Jun 07 2022 support - 4.3.4 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-4.html +* Tue May 31 2022 support - 4.3.3 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-3.html +* Mon May 30 2022 support - 4.3.2 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-2.html +* Wed May 18 2022 support - 4.3.1 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-1.html +* Thu May 05 2022 support - 4.3.0 +- More info: https://documentation.wazuh.com/current/release-notes/release-4-3-0.html +- Initial package diff --git a/distribution/src/bin/indexer-security-init.sh b/distribution/src/bin/indexer-security-init.sh new file mode 100644 index 0000000000000..b46eb3e47dabd --- /dev/null +++ b/distribution/src/bin/indexer-security-init.sh @@ -0,0 +1,189 @@ +#!/bin/bash + +# Wazuh-indexer securityadmin wrapper +# Copyright (C) 2022, Wazuh Inc. +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation. + +CONFIG_PATH="/etc/wazuh-indexer" + +if [ ! -d "${CONFIG_PATH}" ]; then + echo "ERROR: it was not possible to find ${CONFIG_PATH}" + exit 1 +fi + +CONFIG_FILE="${CONFIG_PATH}/opensearch.yml" + +if [ ! -f "${CONFIG_FILE}" ]; then + echo "ERROR: it was not possible to find ${CONFIG_FILE}" + exit 1 +fi + +INSTALL_PATH="/usr/share/wazuh-indexer" + +if [ ! -d "${INSTALL_PATH}" ]; then + echo "ERROR: it was not possible to find ${INSTALL_PATH}" + exit 1 +fi + +HOST="" +OPTIONS="-icl -nhnv" +WAZUH_INDEXER_ROOT_CA="$(cat ${CONFIG_FILE} 2>&1 | grep http.pemtrustedcas | sed 's/.*: //' | tr -d "[\"\']")" +WAZUH_INDEXER_ADMIN_PATH="$(dirname "${WAZUH_INDEXER_ROOT_CA}" 2>&1)" +SECURITY_PATH="${INSTALL_PATH}/plugins/opensearch-security" +SECURITY_CONFIG_PATH="${CONFIG_PATH}/opensearch-security" + +# ----------------------------------------------------------------------------- + +trap ctrl_c INT + +clean(){ + + exit_code=$1 + indexer_process_id=$(pgrep -f wazuh-indexer -c) + if [ "${indexer_process_id}" -gt 1 ]; then + pkill -n -f wazuh-indexer + fi + exit "${exit_code}" + +} + +ctrl_c() { + clean 1 +} + +# ----------------------------------------------------------------------------- + +getNetworkHost() { + + HOST=$(grep -hr "network.host:" "${CONFIG_FILE}" 2>&1) + NH="network.host: " + HOST="${HOST//$NH}" + HOST=$(echo "${HOST}" | tr -d "[\"\']") + + isIP=$(echo "${HOST}" | grep -P "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$") + isDNS=$(echo "${HOST}" | grep -P "^[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9](?:\.[a-zA-Z]{2,})+$") + + # Allow to find ip with an interface + if [ -z "${isIP}" ] && [ -z "${isDNS}" ]; then + interface="${HOST//_}" + HOST=$(ip -o -4 addr list "${interface}" | awk '{print $4}' | cut -d/ -f1) + fi + + if [ "${HOST}" = "0.0.0.0" ]; then + HOST="127.0.0.1" + fi + + if [ -z "${HOST}" ]; then + echo "ERROR: network host not valid, check ${CONFIG_FILE}" + exit 1 + fi + +} + +# ----------------------------------------------------------------------------- +getPort() { + + PORT=$(grep -hr 'transport.tcp.port' "${CONFIG_FILE}" 2>&1) + if [ "${PORT}" ]; then + PORT=$(echo "${PORT}" | cut -d' ' -f2 | cut -d'-' -f1) + else + PORT="9200" + fi + PORT=$(echo "${PORT}" | tr -d "[\"\']") + +} +# ----------------------------------------------------------------------------- + +securityadmin() { + + if [ ! -d "${SECURITY_PATH}" ]; then + echo "ERROR: it was not possible to find ${SECURITY_PATH}" + exit 1 + elif [ ! -d "${INSTALL_PATH}/jdk" ]; then + echo "ERROR: it was not possible to find ${INSTALL_PATH}/jdk" + exit 1 + fi + + if [ -f "${WAZUH_INDEXER_ADMIN_PATH}/admin.pem" ] && [ -f "${WAZUH_INDEXER_ADMIN_PATH}/admin-key.pem" ] && [ -f "${WAZUH_INDEXER_ROOT_CA}" ]; then + OPENSEARCH_CONF_DIR="${CONFIG_PATH}" JAVA_HOME="${INSTALL_PATH}/jdk" runuser wazuh-indexer --shell="/bin/bash" --command="${SECURITY_PATH}/tools/securityadmin.sh -cd ${SECURITY_CONFIG_PATH} -cacert ${WAZUH_INDEXER_ROOT_CA} -cert ${WAZUH_INDEXER_ADMIN_PATH}/admin.pem -key ${WAZUH_INDEXER_ADMIN_PATH}/admin-key.pem -h ${HOST} -p ${PORT} ${OPTIONS}" + else + echo "ERROR: this tool try to find admin.pem and admin-key.pem in ${WAZUH_INDEXER_ADMIN_PATH} but it couldn't. In this case, you must run manually the Indexer security initializer by running the command: JAVA_HOME="/usr/share/wazuh-indexer/jdk" runuser wazuh-indexer --shell="/bin/bash" --command="/usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -cd /etc/wazuh-indexer/opensearch-security -cacert /path/to/root-ca.pem -cert /path/to/admin.pem -key /path/to/admin-key.pem -h ${HOST} -p ${PORT} ${OPTIONS}" replacing /path/to/ by your certificates path." + exit 1 + fi + +} + +help() { + echo + echo "Usage: $0 [OPTIONS]" + echo + echo " -ho, --host [Optional] Target IP or DNS to configure security." + echo " --port [Optional] wazuh-indexer security port." + echo " --options [Optional] Custom securityadmin options." + echo " -h, --help Show this help." + echo + exit "$1" +} + + +main() { + + getNetworkHost + getPort + + while [ -n "$1" ] + do + case "$1" in + "-h"|"--help") + help 0 + ;; + "-ho"|"--host") + if [ -n "$2" ]; then + HOST="$2" + HOST=$(echo "${HOST}" | tr -d "[\"\']") + isIP=$(echo "${2}" | grep -P "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$") + isDNS=$(echo "${2}" | grep -P "^[a-zA-Z0-9][a-zA-Z0-9-]{1,61}[a-zA-Z0-9](?:\.[a-zA-Z]{2,})+$") + if [[ -z "${isIP}" ]] && [[ -z "${isDNS}" ]]; then + echo "The given information does not match with an IP address or a DNS." + exit 1 + fi + shift 2 + else + help 1 + fi + ;; + "--port") + if [ -n "$2" ]; then + PORT="$2" + PORT=$(echo "${PORT}" | tr -d "[\"\']") + if [[ -z $(echo "${2}" | grep -P "^([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$") ]]; then + echo "The given information does not match with a valid PORT number." + exit 1 + fi + shift 2 + else + help 1 + fi + ;; + "--options") + if [ -n "$2" ]; then + OPTIONS="$2" + shift 2 + else + help 1 + fi + ;; + *) + help 1 + esac + done + + securityadmin + +} + +main "$@" diff --git a/distribution/src/config/jvm.prod.options b/distribution/src/config/jvm.prod.options new file mode 100644 index 0000000000000..9a116b52d314c --- /dev/null +++ b/distribution/src/config/jvm.prod.options @@ -0,0 +1,93 @@ +## JVM configuration + +################################################################ +## IMPORTANT: JVM heap size +################################################################ +## +## You should always set the min and max JVM heap +## size to the same value. For example, to set +## the heap to 4 GB, set: +## +## -Xms4g +## -Xmx4g +## +## See https://opensearch.org/docs/opensearch/install/important-settings/ +## for more information +## +################################################################ + +# Xms represents the initial size of total heap space +# Xmx represents the maximum size of total heap space + +-Xms1g +-Xmx1g + +################################################################ +## Expert settings +################################################################ +## +## All settings below this section are considered +## expert settings. Don't tamper with them unless +## you understand what you are doing +## +################################################################ + +## GC configuration +8-10:-XX:+UseConcMarkSweepGC +8-10:-XX:CMSInitiatingOccupancyFraction=75 +8-10:-XX:+UseCMSInitiatingOccupancyOnly + +## G1GC Configuration +# NOTE: G1 GC is only supported on JDK version 10 or later +# to use G1GC, uncomment the next two lines and update the version on the +# following three lines to your version of the JDK +# 10:-XX:-UseConcMarkSweepGC +# 10:-XX:-UseCMSInitiatingOccupancyOnly +11-:-XX:+UseG1GC +11-:-XX:G1ReservePercent=25 +11-:-XX:InitiatingHeapOccupancyPercent=30 + +## JVM temporary directory +-Djava.io.tmpdir=${OPENSEARCH_TMPDIR} + +## heap dumps + +# generate a heap dump when an allocation from the Java heap fails +# heap dumps are created in the working directory of the JVM +-XX:+HeapDumpOnOutOfMemoryError + +# specify an alternative path for heap dumps; ensure the directory exists and +# has sufficient space +-XX:HeapDumpPath=/var/lib/wazuh-indexer + +# specify an alternative path for JVM fatal error logs +-XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log + +## JDK 8 GC logging +8:-XX:+PrintGCDetails +8:-XX:+PrintGCDateStamps +8:-XX:+PrintTenuringDistribution +8:-XX:+PrintGCApplicationStoppedTime +8:-Xloggc:/var/log/wazuh-indexer/gc.log +8:-XX:+UseGCLogFileRotation +8:-XX:NumberOfGCLogFiles=32 +8:-XX:GCLogFileSize=64m + +# JDK 9+ GC logging +9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m + +# Explicitly allow security manager (https://bugs.openjdk.java.net/browse/JDK-8270380) +18-:-Djava.security.manager=allow + +# JDK 20+ Incubating Vector Module for SIMD optimizations; +# disabling may reduce performance on vector optimized lucene +20:--add-modules=jdk.incubator.vector + +# HDFS ForkJoinPool.common() support by SecurityManager +-Djava.util.concurrent.ForkJoinPool.common.threadFactory=org.opensearch.secure_sm.SecuredForkJoinWorkerThreadFactory + +## OpenSearch Performance Analyzer +-Dclk.tck=100 +-Djdk.attach.allowAttachSelf=true +-Djava.security.policy=file:///etc/wazuh-indexer/opensearch-performance-analyzer/opensearch_security.policy +--add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED \ No newline at end of file diff --git a/distribution/src/config/opensearch.prod.yml b/distribution/src/config/opensearch.prod.yml new file mode 100644 index 0000000000000..f1ab49d914c97 --- /dev/null +++ b/distribution/src/config/opensearch.prod.yml @@ -0,0 +1,39 @@ +network.host: "0.0.0.0" +node.name: "node-1" +cluster.initial_master_nodes: +- "node-1" +#- "node-2" +#- "node-3" +cluster.name: "wazuh-cluster" +#discovery.seed_hosts: +# - "node-1-ip" +# - "node-2-ip" +# - "node-3-ip" +node.max_local_storage_nodes: "3" +path.data: /var/lib/wazuh-indexer +path.logs: /var/log/wazuh-indexer + +plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem +plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem +plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem +plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/indexer.pem +plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/indexer-key.pem +plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem +plugins.security.ssl.http.enabled: true +plugins.security.ssl.transport.enforce_hostname_verification: false +plugins.security.ssl.transport.resolve_hostname: false + +plugins.security.authcz.admin_dn: +- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.check_snapshot_restore_write_privileges: true +plugins.security.enable_snapshot_restore_privilege: true +plugins.security.nodes_dn: +- "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US" +#- "CN=node-2,OU=Wazuh,O=Wazuh,L=California,C=US" +#- "CN=node-3,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.restapi.roles_enabled: +- "all_access" +- "security_rest_api_access" + +plugins.security.system_indices.enabled: true +plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] diff --git a/distribution/src/config/security/internal_users.yml b/distribution/src/config/security/internal_users.yml new file mode 100644 index 0000000000000..44ae613e8bb19 --- /dev/null +++ b/distribution/src/config/security/internal_users.yml @@ -0,0 +1,63 @@ +--- +# This is the internal user database +# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + +_meta: + type: "internalusers" + config_version: 2 + +# Define your internal users here + +## Demo users + +admin: + hash: "$2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG" + reserved: true + backend_roles: + - "admin" + description: "Demo admin user" + +anomalyadmin: + hash: "$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3." + reserved: false + opendistro_security_roles: + - "anomaly_full_access" + description: "Demo anomaly admin user, using internal role" + +kibanaserver: + hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H." + reserved: true + description: "Demo OpenSearch Dashboards user" + +kibanaro: + hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC" + reserved: false + backend_roles: + - "kibanauser" + - "readall" + attributes: + attribute1: "value1" + attribute2: "value2" + attribute3: "value3" + description: "Demo read only user, using external role mapping" + +logstash: + hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2" + reserved: false + backend_roles: + - "logstash" + description: "Demo logstash user, using external role mapping" + +readall: + hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2" + reserved: false + backend_roles: + - "readall" + description: "Demo readall user, using external role mapping" + +snapshotrestore: + hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W" + reserved: false + backend_roles: + - "snapshotrestore" + description: "Demo snapshotrestore user, using external role mapping" diff --git a/distribution/src/config/security/roles.yml b/distribution/src/config/security/roles.yml new file mode 100644 index 0000000000000..20b372b778efb --- /dev/null +++ b/distribution/src/config/security/roles.yml @@ -0,0 +1,393 @@ +_meta: + type: "roles" + config_version: 2 + +# Restrict users so they can only view visualization and dashboard on OpenSearchDashboards +kibana_read_only: + reserved: true + +# The security REST API access role is used to assign specific users access to change the security settings through the REST API. +security_rest_api_access: + reserved: true + +security_rest_api_full_access: + reserved: true + cluster_permissions: + - 'restapi:admin/actiongroups' + - 'restapi:admin/allowlist' + - 'restapi:admin/config/update' + - 'restapi:admin/internalusers' + - 'restapi:admin/nodesdn' + - 'restapi:admin/roles' + - 'restapi:admin/rolesmapping' + - 'restapi:admin/ssl/certs/info' + - 'restapi:admin/ssl/certs/reload' + - 'restapi:admin/tenants' + +# Allows users to view monitors, destinations and alerts +alerting_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/alerting/alerts/get' + - 'cluster:admin/opendistro/alerting/destination/get' + - 'cluster:admin/opendistro/alerting/monitor/get' + - 'cluster:admin/opendistro/alerting/monitor/search' + - 'cluster:admin/opensearch/alerting/findings/get' + - 'cluster:admin/opensearch/alerting/workflow/get' + - 'cluster:admin/opensearch/alerting/workflow_alerts/get' + +# Allows users to view and acknowledge alerts +alerting_ack_alerts: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/alerting/alerts/*' + - 'cluster:admin/opendistro/alerting/chained_alerts/*' + - 'cluster:admin/opendistro/alerting/workflow_alerts/*' + +# Allows users to use all alerting functionality +alerting_full_access: + reserved: true + cluster_permissions: + - 'cluster_monitor' + - 'cluster:admin/opendistro/alerting/*' + - 'cluster:admin/opensearch/alerting/*' + - 'cluster:admin/opensearch/notifications/feature/publish' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices_monitor' + - 'indices:admin/aliases/get' + - 'indices:admin/mappings/get' + +# Allow users to read Anomaly Detection detectors and results +anomaly_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/ad/detector/info' + - 'cluster:admin/opendistro/ad/detector/search' + - 'cluster:admin/opendistro/ad/detectors/get' + - 'cluster:admin/opendistro/ad/result/search' + - 'cluster:admin/opendistro/ad/tasks/search' + - 'cluster:admin/opendistro/ad/detector/validate' + - 'cluster:admin/opendistro/ad/result/topAnomalies' + +# Allows users to use all Anomaly Detection functionality +anomaly_full_access: + reserved: true + cluster_permissions: + - 'cluster_monitor' + - 'cluster:admin/opendistro/ad/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices_monitor' + - 'indices:admin/aliases/get' + - 'indices:admin/mappings/get' + +# Allow users to execute read only k-NN actions +knn_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/knn_search_model_action' + - 'cluster:admin/knn_get_model_action' + - 'cluster:admin/knn_stats_action' + +# Allow users to use all k-NN functionality +knn_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/knn_training_model_action' + - 'cluster:admin/knn_training_job_router_action' + - 'cluster:admin/knn_training_job_route_decision_info_action' + - 'cluster:admin/knn_warmup_action' + - 'cluster:admin/knn_delete_model_action' + - 'cluster:admin/knn_remove_model_from_cache_action' + - 'cluster:admin/knn_update_model_graveyard_action' + - 'cluster:admin/knn_search_model_action' + - 'cluster:admin/knn_get_model_action' + - 'cluster:admin/knn_stats_action' + +# Allow users to execute read only ip2geo datasource action +ip2geo_datasource_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/geospatial/datasource/get' + +# Allow users to use all ip2geo datasource action +ip2geo_datasource_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/geospatial/datasource/*' + +# Allows users to read Notebooks +notebooks_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/notebooks/list' + - 'cluster:admin/opendistro/notebooks/get' + +# Allows users to all Notebooks functionality +notebooks_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/notebooks/create' + - 'cluster:admin/opendistro/notebooks/update' + - 'cluster:admin/opendistro/notebooks/delete' + - 'cluster:admin/opendistro/notebooks/get' + - 'cluster:admin/opendistro/notebooks/list' + +# Allows users to read observability objects +observability_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/observability/get' + +# Allows users to all Observability functionality +observability_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/observability/create' + - 'cluster:admin/opensearch/observability/update' + - 'cluster:admin/opensearch/observability/delete' + - 'cluster:admin/opensearch/observability/get' + +# Allows users to all PPL functionality +ppl_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/ppl' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/mappings/get' + - 'indices:data/read/search*' + - 'indices:monitor/settings/get' + +# Allows users to read and download Reports +reports_instances_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/menu/download' + +# Allows users to read and download Reports and Report-definitions +reports_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/definition/get' + - 'cluster:admin/opendistro/reports/definition/list' + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/menu/download' + +# Allows users to all Reports functionality +reports_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/reports/definition/create' + - 'cluster:admin/opendistro/reports/definition/update' + - 'cluster:admin/opendistro/reports/definition/on_demand' + - 'cluster:admin/opendistro/reports/definition/delete' + - 'cluster:admin/opendistro/reports/definition/get' + - 'cluster:admin/opendistro/reports/definition/list' + - 'cluster:admin/opendistro/reports/instance/list' + - 'cluster:admin/opendistro/reports/instance/get' + - 'cluster:admin/opendistro/reports/menu/download' + +# Allows users to use all asynchronous-search functionality +asynchronous_search_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/asynchronous_search/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:data/read/search*' + +# Allows users to read stored asynchronous-search results +asynchronous_search_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opendistro/asynchronous_search/get' + +# Allows user to use all index_management actions - ism policies, rollups, transforms +index_management_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/opendistro/ism/*" + - "cluster:admin/opendistro/rollup/*" + - "cluster:admin/opendistro/transform/*" + - "cluster:admin/opensearch/controlcenter/lron/*" + - "cluster:admin/opensearch/notifications/channels/get" + - "cluster:admin/opensearch/notifications/feature/publish" + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/opensearch/ism/*' + +# Allows users to use all cross cluster replication functionality at leader cluster +cross_cluster_replication_leader_full_access: + reserved: true + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - "indices:admin/plugins/replication/index/setup/validate" + - "indices:data/read/plugins/replication/changes" + - "indices:data/read/plugins/replication/file_chunk" + +# Allows users to use all cross cluster replication functionality at follower cluster +cross_cluster_replication_follower_full_access: + reserved: true + cluster_permissions: + - "cluster:admin/plugins/replication/autofollow/update" + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - "indices:admin/plugins/replication/index/setup/validate" + - "indices:data/write/plugins/replication/changes" + - "indices:admin/plugins/replication/index/start" + - "indices:admin/plugins/replication/index/pause" + - "indices:admin/plugins/replication/index/resume" + - "indices:admin/plugins/replication/index/stop" + - "indices:admin/plugins/replication/index/update" + - "indices:admin/plugins/replication/index/status_check" + +# Allows users to use all cross cluster search functionality at remote cluster +cross_cluster_search_remote_full_access: + reserved: true + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/shards/search_shards' + - 'indices:data/read/search' + +# Allow users to read ML stats/models/tasks +ml_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/ml/stats/nodes' + - 'cluster:admin/opensearch/ml/model_groups/search' + - 'cluster:admin/opensearch/ml/models/get' + - 'cluster:admin/opensearch/ml/models/search' + - 'cluster:admin/opensearch/ml/tasks/get' + - 'cluster:admin/opensearch/ml/tasks/search' + +# Allows users to use all ML functionality +ml_full_access: + reserved: true + cluster_permissions: + - 'cluster_monitor' + - 'cluster:admin/opensearch/ml/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices_monitor' + +# Allows users to use all Notifications functionality +notifications_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/notifications/*' + +# Allows users to read Notifications config/channels +notifications_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/notifications/configs/get' + - 'cluster:admin/opensearch/notifications/features' + - 'cluster:admin/opensearch/notifications/channels/get' + +# Allows users to use all snapshot management functionality +snapshot_management_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/snapshot_management/*' + - 'cluster:admin/opensearch/notifications/feature/publish' + - 'cluster:admin/repository/*' + - 'cluster:admin/snapshot/*' + +# Allows users to see snapshots, repositories, and snapshot management policies +snapshot_management_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/snapshot_management/policy/get' + - 'cluster:admin/opensearch/snapshot_management/policy/search' + - 'cluster:admin/opensearch/snapshot_management/policy/explain' + - 'cluster:admin/repository/get' + - 'cluster:admin/snapshot/get' + +# Allows user to use point in time functionality +point_in_time_full_access: + reserved: true + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'manage_point_in_time' + +# Allows users to see security analytics detectors and others +security_analytics_read_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/securityanalytics/alerts/get' + - 'cluster:admin/opensearch/securityanalytics/correlations/findings' + - 'cluster:admin/opensearch/securityanalytics/correlations/list' + - 'cluster:admin/opensearch/securityanalytics/detector/get' + - 'cluster:admin/opensearch/securityanalytics/detector/search' + - 'cluster:admin/opensearch/securityanalytics/findings/get' + - 'cluster:admin/opensearch/securityanalytics/mapping/get' + - 'cluster:admin/opensearch/securityanalytics/mapping/view/get' + - 'cluster:admin/opensearch/securityanalytics/rule/get' + - 'cluster:admin/opensearch/securityanalytics/rule/search' + +# Allows users to use all security analytics functionality +security_analytics_full_access: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/securityanalytics/alerts/*' + - 'cluster:admin/opensearch/securityanalytics/correlations/*' + - 'cluster:admin/opensearch/securityanalytics/detector/*' + - 'cluster:admin/opensearch/securityanalytics/findings/*' + - 'cluster:admin/opensearch/securityanalytics/mapping/*' + - 'cluster:admin/opensearch/securityanalytics/rule/*' + index_permissions: + - index_patterns: + - '*' + allowed_actions: + - 'indices:admin/mapping/put' + - 'indices:admin/mappings/get' + +# Allows users to view and acknowledge alerts +security_analytics_ack_alerts: + reserved: true + cluster_permissions: + - 'cluster:admin/opensearch/securityanalytics/alerts/*' + +# Wazuh monitoring and statistics index permissions +manage_wazuh_index: + reserved: true + hidden: false + cluster_permissions: [] + index_permissions: + - index_patterns: + - "wazuh-*" + dls: "" + fls: [] + masked_fields: [] + allowed_actions: + - "read" + - "delete" + - "manage" + - "index" + tenant_permissions: [] + static: false diff --git a/distribution/src/config/security/roles_mapping.yml b/distribution/src/config/security/roles_mapping.yml new file mode 100644 index 0000000000000..e4f7628780f68 --- /dev/null +++ b/distribution/src/config/security/roles_mapping.yml @@ -0,0 +1,87 @@ +--- +# In this file users, backendroles and hosts can be mapped to Open Distro Security roles. +# Permissions for Opendistro roles are configured in roles.yml + +_meta: + type: "rolesmapping" + config_version: 2 + +# Define your roles mapping here + +## Default roles mapping + +all_access: + reserved: true + hidden: false + backend_roles: + - "admin" + hosts: [] + users: [] + and_backend_roles: [] + description: "Maps admin to all_access" + +own_index: + reserved: false + hidden: false + backend_roles: [] + hosts: [] + users: + - "*" + and_backend_roles: [] + description: "Allow full access to an index named like the username" + +logstash: + reserved: false + hidden: false + backend_roles: + - "logstash" + hosts: [] + users: [] + and_backend_roles: [] + +readall: + reserved: true + hidden: false + backend_roles: + - "readall" + hosts: [] + users: [] + and_backend_roles: [] + +manage_snapshots: + reserved: true + hidden: false + backend_roles: + - "snapshotrestore" + hosts: [] + users: [] + and_backend_roles: [] + +kibana_server: + reserved: true + hidden: false + backend_roles: [] + hosts: [] + users: + - "kibanaserver" + and_backend_roles: [] + +kibana_user: + reserved: false + hidden: false + backend_roles: + - "kibanauser" + hosts: [] + users: [] + and_backend_roles: [] + description: "Maps kibanauser to kibana_user" + +# Wazuh monitoring and statistics index permissions +manage_wazuh_index: + reserved: true + hidden: false + backend_roles: [] + hosts: [] + users: + - "kibanaserver" + and_backend_roles: [] \ No newline at end of file diff --git a/docker/README.md b/docker/README.md new file mode 100644 index 0000000000000..7a92a51b13b38 --- /dev/null +++ b/docker/README.md @@ -0,0 +1,55 @@ +# Docker environments + +Multipurpose Docker environments to run, test and build `wazuh-indexer`. + +## Pre-requisites + +1. Install [Docker][docker] as per its instructions. + +1. Your workstation must meet the minimum hardware requirements: + + - 8 GB of RAM (minimum) + - 4 cores + + The more resources the better ☺ + +1. Clone the [wazuh-indexer][wi-repo]. + +## Development environments + +Use the `dev/dev.sh` script to start a development environment. + +Example: + +```bash +Usage: ./dev.sh {up|down|stop} +``` + +Once the `wi-dev:x.y.z` container is up, attach a shell to it and run `./gradlew run` to start the application. + +## Containers to generate packages + +Use the `ci/ci.sh` script to start provisioned containers to generate packages. + +```bash +Usage: ./ci.sh {up|down|stop} +``` + +Refer to [build-scripts/README.md](../build-scripts/README.md) for details about how to build packages. + +[docker]: https://docs.docker.com/engine/install +[wi-repo]: https://github.com/wazuh/wazuh-indexer + +## Building Docker images + +The [prod](./prod) folder contains the code to build Docker images. A tarball of `wazuh-indexer` needs to be located at the same level that the Dockerfile. Below there is an example of the command needed to build the image. Set the build arguments and the image tag accordingly. + +```console +docker build --build-arg="VERSION=5.0.0" --build-arg="INDEXER_TAR_NAME=wazuh-indexer-5.0.0-1_linux-x64_cfca84f.tar.gz" --tag=wazuh-indexer:5.0.0 --progress=plain --no-cache . +``` + +Then, start a container with: + +```console +docker run -it --rm wazuh-indexer:5.0.0 +``` diff --git a/docker/ci/ci.sh b/docker/ci/ci.sh new file mode 100755 index 0000000000000..13e84c0881b3f --- /dev/null +++ b/docker/ci/ci.sh @@ -0,0 +1,62 @@ +#!/bin/bash + +# Start container with required tools to build packages +# Requires Docker +# Script usage: bash ./ci.sh + +set -e + +# ==== +# Checks that the script is run from the intended location +# ==== +function check_project_root_folder() { + current=$(basename "$(pwd)") + + if [[ "$0" != "./ci.sh" && "$0" != "ci.sh" ]]; then + echo "Run the script from its location" + usage + exit 1 + fi + # Change working directory to the root of the repository + cd ../.. +} + +# ==== +# Displays usage +# ==== +function usage() { + echo "Usage: ./ci.sh {up|down|stop}" +} + +# ==== +# Main function +# ==== +function main() { + check_project_root_folder "$@" + compose_file="docker/${current}/ci.yml" + compose_cmd="docker compose -f $compose_file" + REPO_PATH=$(pwd) + VERSION=$(cat VERSION) + export REPO_PATH + export VERSION + + case $1 in + up) + # Main folder created here to grant access to both containers + mkdir -p artifacts + $compose_cmd up -d + ;; + down) + $compose_cmd down + ;; + stop) + $compose_cmd stop + ;; + *) + usage + exit 1 + ;; + esac +} + +main "$@" diff --git a/docker/ci/ci.yml b/docker/ci/ci.yml new file mode 100644 index 0000000000000..ccf902af07734 --- /dev/null +++ b/docker/ci/ci.yml @@ -0,0 +1,28 @@ +services: + # Essentially wi-dev, but doesn't expose port 9200 + wi-build: + image: wi-build:${VERSION} + container_name: wi-build_${VERSION} + build: + context: ./../.. + dockerfile: ${REPO_PATH}/docker/dev/images/Dockerfile + volumes: + - ${REPO_PATH}:/home/wazuh-indexer + entrypoint: ["tail", "-f", "/dev/null"] + user: "1000:1000" + working_dir: /home/wazuh-indexer + + wi-assemble: + image: wi-assemble:${VERSION} + container_name: wi-assemble_${VERSION} + build: + context: ./../.. + dockerfile: ${REPO_PATH}/docker/ci/images/Dockerfile + volumes: + - ${REPO_PATH}/build-scripts:/home/wazuh-indexer/build-scripts + - ${REPO_PATH}/artifacts:/home/wazuh-indexer/artifacts + - ${REPO_PATH}/distribution/packages/src:/home/wazuh-indexer/distribution/packages/src + - ${REPO_PATH}/buildSrc:/home/wazuh-indexer/buildSrc + entrypoint: ["tail", "-f", "/dev/null"] + user: "1000:1000" + working_dir: /home/wazuh-indexer diff --git a/docker/ci/images/.dockerignore b/docker/ci/images/.dockerignore new file mode 100644 index 0000000000000..96d12ad527ea5 --- /dev/null +++ b/docker/ci/images/.dockerignore @@ -0,0 +1,68 @@ +artifacts/ +.git/ + +# intellij files +.idea/ +*.iml +*.ipr +*.iws +build-idea/ +out/ + +# include shared intellij config +!.idea/inspectionProfiles/Project_Default.xml +!.idea/runConfigurations/Debug_OpenSearch.xml +!.idea/vcs.xml + +# These files are generated in the main tree by annotation processors +benchmarks/src/main/generated/* +benchmarks/bin/* +benchmarks/build-eclipse-default/* +server/bin/* +server/build-eclipse-default/* +test/framework/build-eclipse-default/* + +# eclipse files +.project +.classpath +.settings +build-eclipse/ + +# netbeans files +nb-configuration.xml +nbactions.xml + +# gradle stuff +.gradle/ +build/ + +# vscode stuff +.vscode/ + +# testing stuff +**/.local* +.vagrant/ +/logs/ + +# osx stuff +.DS_Store + +# default folders in which the create_bwc_index.py expects to find old es versions in +/backwards +/dev-tools/backwards + +# needed in case docs build is run...maybe we can configure doc build to generate files under build? +html_docs + +# random old stuff that we should look at the necessity of... +/tmp/ +eclipse-build + +# projects using testfixtures +testfixtures_shared/ + +# These are generated from .ci/jobs.t +.ci/jobs/ + +# build files generated +doc-tools/missing-doclet/bin/ \ No newline at end of file diff --git a/docker/ci/images/Dockerfile b/docker/ci/images/Dockerfile new file mode 100644 index 0000000000000..8704d1a25d83b --- /dev/null +++ b/docker/ci/images/Dockerfile @@ -0,0 +1,17 @@ +FROM ubuntu:jammy +RUN mkdir /home/wazuh-indexer && \ + apt-get update -y && \ + apt-get install curl gnupg2 -y && \ + curl -o- https://www.aptly.info/pubkey.txt | apt-key add - && \ + echo "deb http://repo.aptly.info/ squeeze main" | tee -a /etc/apt/sources.list.d/aptly.list && \ + apt-get update -y && \ + apt-get upgrade -y && \ + apt-get install -y aptly build-essential cpio debhelper-compat debmake freeglut3 libasound2 libatk-bridge2.0-0 libatk1.0-0 libatspi2.0-dev libcairo2 libcairo2-dev libcups2 libdrm2 libgbm-dev libgconf-2-4 libnspr4 libnspr4-dev libnss3 libpangocairo-1.0-0 libxcomposite-dev libxdamage1 libxfixes-dev libxfixes3 libxi6 libxkbcommon-x11-0 libxrandr2 libxrender1 libxtst6 rpm rpm2cpio maven && \ + apt-get clean -y && \ + dpkg -r lintian && \ + addgroup --gid 1000 wazuh-indexer && \ + adduser --uid 1000 --ingroup wazuh-indexer --disabled-password --home /home/wazuh-indexer wazuh-indexer && \ + chmod 0775 /home/wazuh-indexer && \ + chown -R 1000:1000 /home/wazuh-indexer +USER wazuh-indexer +WORKDIR /home/wazuh-indexer diff --git a/docker/dev/dev.sh b/docker/dev/dev.sh new file mode 100755 index 0000000000000..f20b7359c9206 --- /dev/null +++ b/docker/dev/dev.sh @@ -0,0 +1,60 @@ +#!/bin/bash + +# Attaches the project as a volume to a JDK 17 container +# Requires Docker +# Script usage: bash ./dev.sh + +set -e + +# ==== +# Checks that the script is run from the intended location +# ==== +function check_project_root_folder() { + current=$(basename "$(pwd)") + + if [[ "$0" != "./dev.sh" && "$0" != "dev.sh" ]]; then + echo "Run the script from its location" + usage + exit 1 + fi + # Change working directory to the root of the repository + cd ../.. +} + +# ==== +# Displays usage +# ==== +function usage() { + echo "Usage: ./dev.sh {up|down|stop}" +} + +# ==== +# Main function +# ==== +function main() { + check_project_root_folder "$@" + compose_file="docker/${current}/dev.yml" + compose_cmd="docker compose -f $compose_file" + REPO_PATH=$(pwd) + VERSION=$(cat VERSION) + export REPO_PATH + export VERSION + + case $1 in + up) + $compose_cmd up -d + ;; + down) + $compose_cmd down + ;; + stop) + $compose_cmd stop + ;; + *) + usage + exit 1 + ;; + esac +} + +main "$@" diff --git a/docker/dev/dev.yml b/docker/dev/dev.yml new file mode 100644 index 0000000000000..b485c66f8fc71 --- /dev/null +++ b/docker/dev/dev.yml @@ -0,0 +1,17 @@ +services: + wi-dev: + image: wi-dev:${VERSION} + container_name: wi-dev_${VERSION} + build: + context: ${REPO_PATH} + dockerfile: ${REPO_PATH}/docker/dev/images/Dockerfile + ports: + # OpenSearch REST API + - 9200:9200 + expose: + - 9200 + volumes: + - ${REPO_PATH}:/home/wazuh-indexer + entrypoint: ["tail", "-f", "/dev/null"] + user: "1000:1000" + working_dir: /home/wazuh-indexer diff --git a/docker/dev/images/.dockerignore b/docker/dev/images/.dockerignore new file mode 100644 index 0000000000000..96d12ad527ea5 --- /dev/null +++ b/docker/dev/images/.dockerignore @@ -0,0 +1,68 @@ +artifacts/ +.git/ + +# intellij files +.idea/ +*.iml +*.ipr +*.iws +build-idea/ +out/ + +# include shared intellij config +!.idea/inspectionProfiles/Project_Default.xml +!.idea/runConfigurations/Debug_OpenSearch.xml +!.idea/vcs.xml + +# These files are generated in the main tree by annotation processors +benchmarks/src/main/generated/* +benchmarks/bin/* +benchmarks/build-eclipse-default/* +server/bin/* +server/build-eclipse-default/* +test/framework/build-eclipse-default/* + +# eclipse files +.project +.classpath +.settings +build-eclipse/ + +# netbeans files +nb-configuration.xml +nbactions.xml + +# gradle stuff +.gradle/ +build/ + +# vscode stuff +.vscode/ + +# testing stuff +**/.local* +.vagrant/ +/logs/ + +# osx stuff +.DS_Store + +# default folders in which the create_bwc_index.py expects to find old es versions in +/backwards +/dev-tools/backwards + +# needed in case docs build is run...maybe we can configure doc build to generate files under build? +html_docs + +# random old stuff that we should look at the necessity of... +/tmp/ +eclipse-build + +# projects using testfixtures +testfixtures_shared/ + +# These are generated from .ci/jobs.t +.ci/jobs/ + +# build files generated +doc-tools/missing-doclet/bin/ \ No newline at end of file diff --git a/docker/dev/images/Dockerfile b/docker/dev/images/Dockerfile new file mode 100644 index 0000000000000..e34202688c492 --- /dev/null +++ b/docker/dev/images/Dockerfile @@ -0,0 +1,20 @@ +FROM gradle:8.7.0-jdk21-alpine AS builder +USER gradle +WORKDIR /home/wazuh-indexer +COPY --chown=gradle:gradle . /home/wazuh-indexer +RUN gradle clean + + +FROM eclipse-temurin:21-jdk-alpine +RUN apk add git && \ + apk add curl && \ + apk add bash && \ + addgroup -g 1000 wazuh-indexer && \ + adduser -u 1000 -G wazuh-indexer -D -h /home/wazuh-indexer wazuh-indexer && \ + chmod 0775 /home/wazuh-indexer && \ + chown -R 1000:0 /home/wazuh-indexer +USER wazuh-indexer +COPY --from=builder --chown=1000:0 /home/wazuh-indexer /home/wazuh-indexer +WORKDIR /home/wazuh-indexer +RUN git config --global --add safe.directory /home/wazuh-indexer +EXPOSE 9200 9300 diff --git a/docker/prod/Dockerfile b/docker/prod/Dockerfile new file mode 100644 index 0000000000000..256cad3ac2b8a --- /dev/null +++ b/docker/prod/Dockerfile @@ -0,0 +1,78 @@ +# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2) +FROM amazonlinux:2023.3.20240219.0 AS builder + +ARG VERSION +ARG INDEXER_TAR_NAME + +RUN yum install openssl tar findutils shadow-utils -y + +COPY ${INDEXER_TAR_NAME} / + +COPY config/opensearch.yml / + +COPY config/config.yml / + +COPY config/config.sh / + +RUN bash config.sh + +################################################################################ +# Build stage 1 (the actual Wazuh indexer image): +# +# Copy wazuh-indexer from stage 0 +# Add entrypoint + +################################################################################ +FROM amazonlinux:2023.3.20240219.0 + +ENV USER="wazuh-indexer" \ + GROUP="wazuh-indexer" \ + NAME="wazuh-indexer" \ + INSTALL_DIR="/usr/share/wazuh-indexer" + +RUN yum install curl-minimal shadow-utils findutils hostname -y + +RUN getent group $GROUP || groupadd -r -g 1000 $GROUP + +RUN useradd --system \ + --uid 1000 \ + --no-create-home \ + --home-dir $INSTALL_DIR \ + --gid $GROUP \ + --shell /sbin/nologin \ + --comment "$USER user" \ + $USER + +WORKDIR $INSTALL_DIR + +COPY entrypoint.sh / + +COPY config/securityadmin.sh / + +RUN chmod 700 /entrypoint.sh && chmod 700 /securityadmin.sh + +RUN chown 1000:1000 /*.sh + +COPY --from=builder --chown=1000:1000 /debian/wazuh-indexer/usr/share/wazuh-indexer /usr/share/wazuh-indexer +COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/systemd /usr/lib/systemd +COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/sysctl.d /usr/lib/sysctl.d +COPY --from=builder --chown=0:0 /debian/wazuh-indexer/usr/lib/tmpfiles.d /usr/lib/tmpfiles.d + +RUN chown -R 1000:1000 /usr/share/wazuh-indexer + +RUN mkdir -p /var/lib/wazuh-indexer && chown 1000:1000 /var/lib/wazuh-indexer && \ + mkdir -p /usr/share/wazuh-indexer/logs && chown 1000:1000 /usr/share/wazuh-indexer/logs && \ + mkdir -p /run/wazuh-indexer && chown 1000:1000 /run/wazuh-indexer && \ + mkdir -p /var/log/wazuh-indexer && chown 1000:1000 /var/log/wazuh-indexer && \ + chmod 700 /usr/share/wazuh-indexer && \ + chmod 600 /usr/share/wazuh-indexer/config/jvm.options && \ + chmod 600 /usr/share/wazuh-indexer/config/opensearch.yml + +USER wazuh-indexer + +# Services ports +EXPOSE 9200 + +ENTRYPOINT ["/entrypoint.sh"] +# Dummy overridable parameter parsed by entrypoint +CMD ["opensearchwrapper"] \ No newline at end of file diff --git a/docker/prod/config/config.sh b/docker/prod/config/config.sh new file mode 100644 index 0000000000000..016fa89b28b00 --- /dev/null +++ b/docker/prod/config/config.sh @@ -0,0 +1,64 @@ +#!/bin/bash + +# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2) +# This has to be exported to make some magic below work. +export DH_OPTIONS + +export NAME=wazuh-indexer +export TARGET_DIR=${CURDIR}/debian/${NAME} + +# Package build options +export LOG_DIR=/var/log/${NAME} +export LIB_DIR=/var/lib/${NAME} +export PID_DIR=/run/${NAME} +export INDEXER_HOME=/usr/share/${NAME} +export CONFIG_DIR=${INDEXER_HOME}/config +export BASE_DIR=${NAME}-* + +rm -rf ${INDEXER_HOME:?}/ +tar -xf "${INDEXER_TAR_NAME}" + +## TOOLS + +## Variables +TOOLS_PATH=${NAME}-${VERSION}/plugins/opensearch-security/tools +CERT_TOOL=${TOOLS_PATH}/wazuh-certs-tool.sh + +# generate certificates +cp $CERT_TOOL . +chmod 755 wazuh-certs-tool.sh && bash wazuh-certs-tool.sh -A + +# copy to target +mkdir -p ${TARGET_DIR}${INDEXER_HOME} +# mkdir -p ${TARGET_DIR}${INDEXER_HOME}/opensearch-security/ <-- empty dir +mkdir -p ${TARGET_DIR}${CONFIG_DIR} +mkdir -p ${TARGET_DIR}${LIB_DIR} +mkdir -p ${TARGET_DIR}${LOG_DIR} +mkdir -p ${TARGET_DIR}/etc/init.d +mkdir -p ${TARGET_DIR}/etc/default +mkdir -p ${TARGET_DIR}/usr/lib/tmpfiles.d +mkdir -p ${TARGET_DIR}/usr/lib/sysctl.d +mkdir -p ${TARGET_DIR}/usr/lib/systemd/system +mkdir -p ${TARGET_DIR}${CONFIG_DIR}/certs +# Copy installation files to final location +cp -pr ${BASE_DIR}/* ${TARGET_DIR}${INDEXER_HOME} +cp -pr /opensearch.yml ${TARGET_DIR}${CONFIG_DIR} +# Copy Wazuh indexer's certificates +cp -pr /wazuh-certificates/demo.indexer.pem ${TARGET_DIR}${CONFIG_DIR}/certs/indexer.pem +cp -pr /wazuh-certificates/demo.indexer-key.pem ${TARGET_DIR}${CONFIG_DIR}/certs/indexer-key.pem +cp -pr /wazuh-certificates/root-ca.key ${TARGET_DIR}${CONFIG_DIR}/certs/root-ca.key +cp -pr /wazuh-certificates/root-ca.pem ${TARGET_DIR}${CONFIG_DIR}/certs/root-ca.pem +cp -pr /wazuh-certificates/admin.pem ${TARGET_DIR}${CONFIG_DIR}/certs/admin.pem +cp -pr /wazuh-certificates/admin-key.pem ${TARGET_DIR}${CONFIG_DIR}/certs/admin-key.pem + +# Set path to indexer home directory +sed -i 's/-Djava.security.policy=file:\/\/\/etc\/wazuh-indexer\/opensearch-performance-analyzer\/opensearch_security.policy/-Djava.security.policy=file:\/\/\/usr\/share\/wazuh-indexer\/opensearch-performance-analyzer\/opensearch_security.policy/g' ${TARGET_DIR}${CONFIG_DIR}/jvm.options + +chmod -R 500 ${TARGET_DIR}${CONFIG_DIR}/certs +chmod -R 400 ${TARGET_DIR}${CONFIG_DIR}/certs/* + +find ${TARGET_DIR} -type d -exec chmod 750 {} \; +find ${TARGET_DIR} -type f -perm 644 -exec chmod 640 {} \; +find ${TARGET_DIR} -type f -perm 664 -exec chmod 660 {} \; +find ${TARGET_DIR} -type f -perm 755 -exec chmod 750 {} \; +find ${TARGET_DIR} -type f -perm 744 -exec chmod 740 {} \; diff --git a/docker/prod/config/config.yml b/docker/prod/config/config.yml new file mode 100644 index 0000000000000..e5383c7c4f2eb --- /dev/null +++ b/docker/prod/config/config.yml @@ -0,0 +1,5 @@ +nodes: + # Wazuh indexer server nodes + indexer: + - name: demo.indexer + ip: demo.indexer \ No newline at end of file diff --git a/docker/prod/config/opensearch.yml b/docker/prod/config/opensearch.yml new file mode 100644 index 0000000000000..278b69d3144c8 --- /dev/null +++ b/docker/prod/config/opensearch.yml @@ -0,0 +1,26 @@ +network.host: "0.0.0.0" +node.name: "wazuh.indexer" +path.data: /var/lib/wazuh-indexer +path.logs: /var/log/wazuh-indexer +discovery.type: single-node +compatibility.override_main_response_version: true +plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/config/certs/indexer.pem +plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/config/certs/indexer-key.pem +plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/config/certs/root-ca.pem +plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/config/certs/indexer.pem +plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/config/certs/indexer-key.pem +plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/config/certs/root-ca.pem +plugins.security.ssl.http.enabled: true +plugins.security.ssl.transport.enforce_hostname_verification: false +plugins.security.ssl.transport.resolve_hostname: false +plugins.security.authcz.admin_dn: +- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.check_snapshot_restore_write_privileges: true +plugins.security.enable_snapshot_restore_privilege: true +plugins.security.nodes_dn: +- "CN=demo.indexer,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.restapi.roles_enabled: +- "all_access" +- "security_rest_api_access" +plugins.security.system_indices.enabled: true +plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] \ No newline at end of file diff --git a/docker/prod/config/securityadmin.sh b/docker/prod/config/securityadmin.sh new file mode 100644 index 0000000000000..3c60c1548e8a5 --- /dev/null +++ b/docker/prod/config/securityadmin.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +# Initialize the `.opendistro_security` index. +sleep 30 +bash "$INDEXER_HOME"/plugins/opensearch-security/tools/securityadmin.sh \ + -cacert "$INDEXER_HOME"/config/certs/root-ca.pem \ + -cert "$INDEXER_HOME"/config/certs/admin.pem \ + -key "$INDEXER_HOME"/config/certs/admin-key.pem \ + -cd "$INDEXER_HOME"/config/opensearch-security/ \ + -nhnv \ + -icl diff --git a/docker/prod/entrypoint.sh b/docker/prod/entrypoint.sh new file mode 100644 index 0000000000000..05017dc4ba493 --- /dev/null +++ b/docker/prod/entrypoint.sh @@ -0,0 +1,98 @@ +#!/usr/bin/env bash +# Wazuh Docker Copyright (C) 2017, Wazuh Inc. (License GPLv2) +set -e + +umask 0002 + +# Constants +INDEXER_HOME=/usr/share/wazuh-indexer +OPENSEARCH_PATH_CONF=${INDEXER_HOME}/config +JAVA_HOME=${INDEXER_HOME}/jdk + +# DISCOVERY=$(grep -oP "(?<=discovery.type: ).*" ${OPENSEARCH_PATH_CONF}/opensearch.yml) + +# Export variables to environment +export INDEXER_HOME +export OPENSEARCH_PATH_CONF +export JAVA_HOME + +run_as_other_user_if_needed() { + if [[ "$(id -u)" == "0" ]]; then + # If running as root, drop to specified UID and run command + exec chroot --userspec=1000:0 / "${@}" + else + # Either we are running in Openshift with random uid and are a member of the root group + # or with a custom --user + exec "${@}" + fi +} + +# Allow user specify custom CMD, maybe bin/opensearch itself +# for example to directly specify `-E` style parameters for opensearch on k8s +# or simply to run /bin/bash to check the image +if [[ "$1" != "opensearchwrapper" ]]; then + if [[ "$(id -u)" == "0" && $(basename "$1") == "opensearch" ]]; then + # Rewrite CMD args to replace $1 with `opensearch` explicitly, + # Without this, user could specify `opensearch -E x.y=z` but + # `bin/opensearch -E x.y=z` would not work. + set -- "opensearch" "${@:2}" + # Use chroot to switch to UID 1000 / GID 0 + exec chroot --userspec=1000:0 / "$@" + else + # User probably wants to run something else, like /bin/bash, with another uid forced (Openshift?) + exec "$@" + fi +fi + +# Allow environment variables to be set by creating a file with the +# contents, and setting an environment variable with the suffix _FILE to +# point to it. This can be used to provide secrets to a container, without +# the values being specified explicitly when running the container. +# +# This is also sourced in opensearch-env, and is only needed here +# as well because we use INDEXER_PASSWORD below. Sourcing this script +# is idempotent. +source /usr/share/wazuh-indexer/bin/opensearch-env-from-file + +if [[ -f bin/opensearch-users ]]; then + # Check for the INDEXER_PASSWORD environment variable to set the + # bootstrap password for Security. + # + # This is only required for the first node in a cluster with Security + # enabled, but we have no way of knowing which node we are yet. We'll just + # honor the variable if it's present. + if [[ -n "$INDEXER_PASSWORD" ]]; then + [[ -f /usr/share/wazuh-indexer/opensearch.keystore ]] || (run_as_other_user_if_needed opensearch-keystore create) + if ! (run_as_other_user_if_needed opensearch-keystore has-passwd --silent); then + # keystore is unencrypted + if ! (run_as_other_user_if_needed opensearch-keystore list | grep -q '^bootstrap.password$'); then + (run_as_other_user_if_needed echo "$INDEXER_PASSWORD" | opensearch-keystore add -x 'bootstrap.password') + fi + else + # keystore requires password + if ! (run_as_other_user_if_needed echo "$KEYSTORE_PASSWORD" | + opensearch-keystore list | grep -q '^bootstrap.password$'); then + COMMANDS="$(printf "%s\n%s" "$KEYSTORE_PASSWORD" "$INDEXER_PASSWORD")" + (run_as_other_user_if_needed echo "$COMMANDS" | opensearch-keystore add -x 'bootstrap.password') + fi + fi + fi +fi + +if [[ "$(id -u)" == "0" ]]; then + # If requested and running as root, mutate the ownership of bind-mounts + if [[ -n "$TAKE_FILE_OWNERSHIP" ]]; then + chown -R 1000:0 /usr/share/wazuh-indexer/{data,logs} + fi +fi + +# Initialize security +nohup /securityadmin.sh & + +#if [[ "$DISCOVERY" == "single-node" ]] && [[ ! -f "/var/lib/wazuh-indexer/.flag" ]]; then +# run securityadmin.sh for single node with CACERT, CERT and KEY parameter +# nohup /securityadmin.sh & +# touch "/var/lib/wazuh-indexer/.flag" +#fi + +run_as_other_user_if_needed /usr/share/wazuh-indexer/bin/opensearch <<<"$KEYSTORE_PASSWORD" diff --git a/ecs/.gitignore b/ecs/.gitignore new file mode 100644 index 0000000000000..a8047fcd2d67d --- /dev/null +++ b/ecs/.gitignore @@ -0,0 +1,3 @@ +**/mappings +*.log +generatedData.json \ No newline at end of file diff --git a/ecs/README.md b/ecs/README.md new file mode 100644 index 0000000000000..6ba6641b64ce9 --- /dev/null +++ b/ecs/README.md @@ -0,0 +1,139 @@ +## ECS mappings generator + +This script generates the ECS mappings for the Wazuh indices. + +### Requirements + +- ECS repository clone. The script is meant to be launched from the root level of that repository. +- `Python` 3.6 or higher + `venv` module +- `jq` + +### Folder structure + +There is a folder for each module. Inside each folder, there is a `fields` folder with the required +files to generate the mappings. These are the inputs for the ECS generator. + +### Usage + +1. Get a copy of the ECS repository at the same level as the `wazuh-indexer` repo: + + ```console + git clone git@github.com:elastic/ecs.git + ``` + +2. Install the dependencies: + + ```console + cd ecs + python3 -m venv env + source env/bin/activate + pip install -r scripts/requirements.txt + ``` + +2. Copy the `generate.sh` script to the root level of the ECS repository. + + ```console + cp generate.sh ../../ecs + cd ../../ecs + bash generate.sh + ``` + + Expected output: + ``` + Usage: generate.sh [--upload ] + * ECS_VERSION: ECS version to generate mappings for + * INDEXER_SRC: Path to the wazuh-indexer repository + * MODULE: Module to generate mappings for + * --upload : Upload generated index template to the OpenSearch cluster. Defaults to https://localhost:9200 + Example: generate.sh v8.11.0 ~/wazuh-indexer vulnerability-detector --upload https://indexer:9200 + ``` + +3. Use the `generate.sh` script to generate the mappings for a module. The script takes 3 arguments, +plus 2 optional arguments to upload the mappings to the `wazuh-indexer`. Both, composable and legacy mappings +are generated. For example, to generate the mappings for the `vulnerability-detector` module using the + ECS version `v8.11.0` and assuming that path of this repository is `~/wazuh/wazuh-indexer`: + + ```bash + ./generate.sh v8.11.0 ~/wazuh/wazuh-indexer vulnerability-detector + ``` + + The tool will output the folder where they have been generated. + + ```console + Loading schemas from git ref v8.11.0 + Running generator. ECS version 8.11.0 + Mappings saved to ~/wazuh/wazuh-indexer/ecs/vulnerability-detector/mappings/v8.11.0 + ``` + +4. When you are done. Exit the virtual environment. + + ```console + deactivate + ``` + +### Output + +A new `mappings` folder will be created inside the module folder, containing all the generated files. +The files are versioned using the ECS version, so different versions of the same module can be generated. +For our use case, the most important files are under `mappings//generated/elasticsearch/legacy/`: + +- `template.json`: Elasticsearch compatible index template for the module +- `opensearch-template.json`: OpenSearch compatible index template for the module + +The original output is `template.json`, which is not compatible with OpenSearch by default. In order +to make this template compatible with OpenSearch, the following changes are made: + +- The `order` property is renamed to `priority`. +- The `mappings` and `settings` properties are nested under the `template` property. + +The script takes care of these changes automatically, generating the `opensearch-template.json` file as a result. + +### Upload + +You can either upload the index template using cURL or the UI (dev tools). + +```bash +curl -u admin:admin -k -X PUT "https://indexer:9200/_index_template/wazuh-vulnerability-detector" -H "Content-Type: application/json" -d @opensearch-template.json +``` + +Notes: +- PUT and POST are interchangeable. +- The name of the index template does not matter. Any name can be used. +- Adjust credentials and URL accordingly. + +### Adding new mappings + +The easiest way to create mappings for a new module is to take a previous one as a base. +Copy a folder and rename it to the new module name. Then, edit the `fields` files to +match the new module fields. + +The name of the folder will be the name of the module to be passed to the script. All 3 files +are required. + +- `fields/subset.yml`: This file contains the subset of ECS fields to be used for the module. +- `fields/template-settings-legacy.json`: This file contains the legacy template settings for the module. +- `fields/template-settings.json`: This file contains the composable template settings for the module. + +### Event generator + +For testing purposes, the script `generate_events.py` can be used to generate events for a given module. +Currently, it is only able to generate events for the `vulnerability-detector` module. To support other +modules, please extend of refactor the script. + +The script prompts for the required parameters, so it can be launched without arguments: + +```bash +./event_generator.py +``` + +The script will generate a JSON file with the events, and will also ask whether to upload them to the +indexer. If the upload option is selected, the script will ask for the indexer URL and port, credentials, +and index name. + +The script uses log file. Check it out for debugging or additional information. + +#### References + +- [ECS repository](https://github.com/elastic/ecs) +- [ECS usage](https://github.com/elastic/ecs/blob/main/USAGE.md) +- [ECS field reference](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) diff --git a/ecs/agent/event-generator/event_generator.py b/ecs/agent/event-generator/event_generator.py new file mode 100644 index 0000000000000..f676f0176d444 --- /dev/null +++ b/ecs/agent/event-generator/event_generator.py @@ -0,0 +1,114 @@ +#!/bin/python3 + +import datetime +import random +import json +import requests +import warnings +import logging + +# Constants and Configuration +LOG_FILE = 'generate_data.log' +GENERATED_DATA_FILE = 'generatedData.json' +DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" + +# Configure logging +logging.basicConfig(filename=LOG_FILE, level=logging.INFO) + +# Suppress warnings +warnings.filterwarnings("ignore") + + +def generate_random_date(): + start_date = datetime.datetime.now() + end_date = start_date - datetime.timedelta(days=10) + random_date = start_date + (end_date - start_date) * random.random() + return random_date.strftime(DATE_FORMAT) + + +def generate_random_agent(): + agent = { + 'id': f'agent{random.randint(0, 99)}', + 'name': f'Agent{random.randint(0, 99)}', + 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), + 'version': f'v{random.randint(0, 9)}-stable', + 'is_connected': random.choice([True, False]), + 'last_login': generate_random_date(), + 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], + 'key': f'key{random.randint(0, 999)}' + } + return agent + + +def generate_random_host(): + family = random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']) + version = f'{random.randint(0, 99)}.{random.randint(0, 99)}' + host = { + 'ip': f'{random.randint(1, 255)}.{random.randint(1, 255)}.{random.randint(1, 255)}.{random.randint(1, 255)}', + 'os': { + 'full': f'{family} {version}', + } + } + return host + + +def generate_random_data(number): + data = [] + for _ in range(number): + event_data = { + 'agent': generate_random_agent(), + 'host': generate_random_host(), + } + data.append(event_data) + return data + + +def inject_events(ip, port, index, username, password, data): + url = f'https://{ip}:{port}/{index}/_doc' + session = requests.Session() + session.auth = (username, password) + session.verify = False + headers = {'Content-Type': 'application/json'} + + try: + for event_data in data: + response = session.post(url, json=event_data, headers=headers) + if response.status_code != 201: + logging.error(f'Error: {response.status_code}') + logging.error(response.text) + break + logging.info('Data injection completed successfully.') + except Exception as e: + logging.error(f'Error: {str(e)}') + + +def main(): + try: + number = int(input("How many events do you want to generate? ")) + except ValueError: + logging.error("Invalid input. Please enter a valid number.") + return + + logging.info(f"Generating {number} events...") + data = generate_random_data(number) + + with open(GENERATED_DATA_FILE, 'a') as outfile: + for event_data in data: + json.dump(event_data, outfile) + outfile.write('\n') + + logging.info('Data generation completed.') + + inject = input( + "Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() + if inject == 'y': + ip = input("Enter the IP of your Indexer: ") + port = input("Enter the port of your Indexer: ") + index = input("Enter the index name: ") + username = input("Username: ") + password = input("Password: ") + inject_events(ip, port, index, username, password, data) + + +if __name__ == "__main__": + main() diff --git a/ecs/agent/fields/custom/wazuh-agent.yml b/ecs/agent/fields/custom/wazuh-agent.yml new file mode 100644 index 0000000000000..0492778271095 --- /dev/null +++ b/ecs/agent/fields/custom/wazuh-agent.yml @@ -0,0 +1,27 @@ +--- +- name: agent + title: Wazuh Agents + short: Wazuh Inc. custom fields. + type: group + group: 2 + fields: + - name: groups + type: keyword + level: custom + description: > + The groups the agent belongs to. + - name: key + type: keyword + level: custom + description: > + The agent's registration key. + - name: last_login + type: date + level: custom + description: > + The agent's last login. + - name: is_connected + type: boolean + level: custom + description: > + Agents' interpreted connection status depending on `agent.last_login`. diff --git a/ecs/agent/fields/mapping-settings.json b/ecs/agent/fields/mapping-settings.json new file mode 100644 index 0000000000000..0ad2b48fcc1be --- /dev/null +++ b/ecs/agent/fields/mapping-settings.json @@ -0,0 +1,4 @@ +{ + "dynamic": "strict", + "date_detection": false +} \ No newline at end of file diff --git a/ecs/agent/fields/subset.yml b/ecs/agent/fields/subset.yml new file mode 100644 index 0000000000000..2d24cd20429f2 --- /dev/null +++ b/ecs/agent/fields/subset.yml @@ -0,0 +1,22 @@ +--- +name: agent +fields: + base: + fields: + tags: [] + agent: + fields: + id: {} + name: {} + type: {} + version: {} + groups: {} + key: {} + last_login: {} + is_connected: {} + host: + fields: + ip: {} + os: + fields: + full: {} \ No newline at end of file diff --git a/ecs/agent/fields/template-settings-legacy.json b/ecs/agent/fields/template-settings-legacy.json new file mode 100644 index 0000000000000..157c89196df07 --- /dev/null +++ b/ecs/agent/fields/template-settings-legacy.json @@ -0,0 +1,23 @@ +{ + "index_patterns": [ + ".agents*" + ], + "order": 1, + "settings": { + "index": { + "hidden": true, + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "agent.name", + "host.os.full", + "host.ip" + ] + } + } +} \ No newline at end of file diff --git a/ecs/agent/fields/template-settings.json b/ecs/agent/fields/template-settings.json new file mode 100644 index 0000000000000..30c94f204d38c --- /dev/null +++ b/ecs/agent/fields/template-settings.json @@ -0,0 +1,25 @@ +{ + "index_patterns": [ + ".agents*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "hidden": true, + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "agent.name", + "host.os.full", + "host.ip" + ] + } + } + } +} \ No newline at end of file diff --git a/ecs/alerts/fields/custom/agent.yml b/ecs/alerts/fields/custom/agent.yml new file mode 100644 index 0000000000000..3482123af637a --- /dev/null +++ b/ecs/alerts/fields/custom/agent.yml @@ -0,0 +1,12 @@ +--- +- name: agent + title: Wazuh Agents + short: Wazuh Inc. custom fields. + type: group + group: 2 + fields: + - name: groups + type: keyword + level: custom + description: > + The groups the agent belongs to. diff --git a/ecs/alerts/fields/mapping-settings.json b/ecs/alerts/fields/mapping-settings.json new file mode 100644 index 0000000000000..0ad2b48fcc1be --- /dev/null +++ b/ecs/alerts/fields/mapping-settings.json @@ -0,0 +1,4 @@ +{ + "dynamic": "strict", + "date_detection": false +} \ No newline at end of file diff --git a/ecs/alerts/fields/subset.yml b/ecs/alerts/fields/subset.yml new file mode 100644 index 0000000000000..fa784b9806d6c --- /dev/null +++ b/ecs/alerts/fields/subset.yml @@ -0,0 +1,596 @@ +--- +name: main +fields: + base: + fields: "*" + agent: + fields: "*" + as: + fields: "*" + client: + fields: + address: {} + as: + fields: "*" + bytes: {} + domain: {} + geo: + fields: "*" + ip: {} + mac: {} + nat: + fields: + ip: {} + port: {} + packets: {} + port: {} + subdomain: {} + registered_domain: {} + top_level_domain: {} + user: + fields: + domain: {} + email: {} + full_name: {} + group: + fields: "*" + hash: {} + id: {} + name: {} + roles: {} + cloud: + fields: "*" + code_signature: + fields: "*" + container: + fields: "*" + data_stream: + fields: "*" + destination: + fields: + address: {} + as: + fields: "*" + bytes: {} + domain: {} + geo: + fields: "*" + ip: {} + mac: {} + nat: + fields: + ip: {} + port: {} + packets: {} + port: {} + subdomain: {} + registered_domain: {} + top_level_domain: {} + user: + fields: + domain: {} + email: {} + full_name: {} + group: + fields: "*" + hash: {} + id: {} + name: {} + roles: {} + device: + fields: "*" + dll: + fields: "*" + dns: + fields: "*" + ecs: + fields: "*" + elf: + fields: "*" + email: + fields: "*" + error: + fields: "*" + event: + fields: "*" + faas: + fields: "*" + file: + fields: "*" + geo: + fields: "*" + group: + fields: "*" + hash: + fields: "*" + host: + fields: "*" + http: + fields: "*" + interface: + fields: "*" + log: + fields: "*" + macho: + fields: "*" + network: + fields: "*" + observer: + fields: "*" + orchestrator: + fields: "*" + organization: + fields: "*" + os: + fields: "*" + package: + fields: "*" + pe: + fields: "*" + process: + fields: + args: {} + args_count: {} + code_signature: + fields: "*" + command_line: {} + elf: + fields: "*" + end: {} + entity_id: {} + entry_leader: + fields: + args: {} + args_count: {} + command_line: {} + entity_id: {} + entry_meta: + fields: + type: {} + source: + fields: + ip: {} + executable: {} + interactive: {} + name: {} + parent: + fields: + entity_id: {} + pid: {} + vpid: {} + start: {} + session_leader: + fields: + entity_id: {} + pid: {} + vpid: {} + start: {} + pid: {} + vpid: {} + same_as_process: {} + start: {} + tty: + fields: + char_device: + fields: + major: {} + minor: {} + working_directory: {} + user: + fields: + id: {} + name: {} + real_user: + fields: + id: {} + name: {} + saved_user: + fields: + id: {} + name: {} + group: + fields: + id: {} + name: {} + real_group: + fields: + id: {} + name: {} + saved_group: + fields: + id: {} + name: {} + supplemental_groups: + fields: + id: {} + name: {} + attested_user: + fields: + id: {} + name: {} + attested_groups: + fields: + name: {} + entry_meta: + fields: + type: + docs_only: True + env_vars: {} + executable: {} + exit_code: {} + group_leader: + fields: + args: {} + args_count: {} + command_line: {} + entity_id: {} + executable: {} + interactive: {} + name: {} + pid: {} + vpid: {} + same_as_process: {} + start: {} + tty: + fields: + char_device: + fields: + major: {} + minor: {} + working_directory: {} + user: + fields: + id: {} + name: {} + real_user: + fields: + id: {} + name: {} + saved_user: + fields: + id: {} + name: {} + group: + fields: + id: {} + name: {} + real_group: + fields: + id: {} + name: {} + saved_group: + fields: + id: {} + name: {} + supplemental_groups: + fields: + id: {} + name: {} + hash: + fields: "*" + interactive: {} + io: + fields: "*" + macho: + fields: "*" + name: {} + parent: + fields: + args: {} + args_count: {} + code_signature: + fields: "*" + command_line: {} + elf: + fields: "*" + end: {} + entity_id: {} + executable: {} + exit_code: {} + group_leader: + fields: + entity_id: {} + pid: {} + vpid: {} + start: {} + hash: + fields: "*" + interactive: {} + macho: + fields: "*" + name: {} + pe: + fields: "*" + pgid: {} + pid: {} + vpid: {} + start: {} + thread: + fields: + id: {} + name: {} + capabilities: + fields: + effective: {} + permitted: {} + title: {} + tty: + fields: + char_device: + fields: + major: {} + minor: {} + uptime: {} + working_directory: {} + user: + fields: + id: {} + name: {} + real_user: + fields: + id: {} + name: {} + saved_user: + fields: + id: {} + name: {} + group: + fields: + id: {} + name: {} + real_group: + fields: + id: {} + name: {} + saved_group: + fields: + id: {} + name: {} + supplemental_groups: + fields: + id: {} + name: {} + pe: + fields: "*" + pgid: {} + pid: {} + vpid: {} + previous: + fields: + args: {} + args_count: {} + executable: {} + real_group: + fields: + id: {} + name: {} + real_user: + fields: + id: {} + name: {} + same_as_process: + docs_only: True + saved_group: + fields: + id: {} + name: {} + saved_user: + fields: + id: {} + name: {} + start: {} + supplemental_groups: + fields: + id: {} + name: {} + session_leader: + fields: + args: {} + args_count: {} + command_line: {} + entity_id: {} + executable: {} + interactive: {} + name: {} + pid: {} + vpid: {} + same_as_process: {} + start: {} + tty: + fields: + char_device: + fields: + major: {} + minor: {} + working_directory: {} + parent: + fields: + entity_id: {} + pid: {} + vpid: {} + start: {} + session_leader: + fields: + entity_id: {} + pid: {} + vpid: {} + start: {} + user: + fields: + id: {} + name: {} + real_user: + fields: + id: {} + name: {} + saved_user: + fields: + id: {} + name: {} + group: + fields: + id: {} + name: {} + real_group: + fields: + id: {} + name: {} + saved_group: + fields: + id: {} + name: {} + supplemental_groups: + fields: + id: {} + name: {} + thread: + fields: + id: {} + name: {} + capabilities: + fields: + effective: {} + permitted: {} + title: {} + tty: + fields: "*" + uptime: {} + user: + fields: + id: {} + name: {} + working_directory: {} + registry: + fields: "*" + related: + fields: "*" + risk: + fields: "*" + rule: + fields: "*" + server: + fields: + address: {} + as: + fields: "*" + bytes: {} + domain: {} + geo: + fields: "*" + ip: {} + mac: {} + nat: + fields: + ip: {} + port: {} + packets: {} + port: {} + subdomain: {} + registered_domain: {} + top_level_domain: {} + user: + fields: + domain: {} + email: {} + full_name: {} + group: + fields: "*" + hash: {} + id: {} + name: {} + roles: {} + service: + fields: "*" + source: + fields: + address: {} + as: + fields: "*" + bytes: {} + domain: {} + geo: + fields: "*" + ip: {} + mac: {} + nat: + fields: + ip: {} + port: {} + packets: {} + port: {} + subdomain: {} + registered_domain: {} + top_level_domain: {} + user: + fields: + domain: {} + email: {} + full_name: {} + group: + fields: "*" + hash: {} + id: {} + name: {} + roles: {} + threat: + fields: "*" + tls: + fields: "*" + tracing: + fields: "*" + url: + fields: "*" + user_agent: + fields: "*" + user: + fields: + changes: + fields: + domain: {} + email: {} + group: + fields: "*" + full_name: {} + hash: {} + id: {} + name: {} + roles: {} + domain: {} + effective: + fields: + domain: {} + email: {} + group: + fields: "*" + full_name: {} + hash: {} + id: {} + name: {} + roles: {} + email: {} + group: + fields: "*" + full_name: {} + hash: {} + id: {} + name: {} + risk: + fields: "*" + roles: {} + target: + fields: + domain: {} + email: {} + group: + fields: "*" + full_name: {} + hash: {} + id: {} + name: {} + roles: {} + vlan: + fields: "*" + vulnerability: + fields: "*" + x509: + fields: "*" \ No newline at end of file diff --git a/ecs/alerts/fields/template-settings-legacy.json b/ecs/alerts/fields/template-settings-legacy.json new file mode 100644 index 0000000000000..54aac2ceaf55c --- /dev/null +++ b/ecs/alerts/fields/template-settings-legacy.json @@ -0,0 +1,18 @@ +{ + "index_patterns": [ + "wazuh-alerts-5.x-*" + ], + "order": 1, + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "mapping": { + "total_fields": { + "limit": 2500 + } + } + } + } +} \ No newline at end of file diff --git a/ecs/alerts/fields/template-settings.json b/ecs/alerts/fields/template-settings.json new file mode 100644 index 0000000000000..9982494c55ca2 --- /dev/null +++ b/ecs/alerts/fields/template-settings.json @@ -0,0 +1,18 @@ +{ + "index_patterns": [ + "wazuh-alerts-5.x-*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": 2500 + } + }, + "refresh_interval": "5s" + } + } + } +} \ No newline at end of file diff --git a/ecs/command/event-generator/event_generator.py b/ecs/command/event-generator/event_generator.py new file mode 100644 index 0000000000000..f8bafa11f0921 --- /dev/null +++ b/ecs/command/event-generator/event_generator.py @@ -0,0 +1,135 @@ +#!/bin/python3 + +import random +import json +import requests +import warnings +import logging +import argparse +import uuid + +LOG_FILE = 'generate_data.log' +GENERATED_DATA_FILE = 'generatedData.json' + +# Configure logging +logging.basicConfig(filename=LOG_FILE, level=logging.INFO) + +# Suppress warnings +warnings.filterwarnings("ignore") + + +def generate_random_command(include_all_fields=False): + document = { + "command": { + "source": random.choice(["Users/Services", "Engine", "Content manager"]), + "user": f"user{random.randint(1, 100)}", + "target": { + "id": f"target{random.randint(1, 10)}", + "type": random.choice(["agent", "group", "server"]) + }, + "action": { + "name": random.choice(["restart", "update", "change_group", "apply_policy"]), + "args": [f"/path/to/executable/arg{random.randint(1, 10)}"], + "version": f"v{random.randint(1, 5)}" + }, + "timeout": random.randint(10, 100) + } + } + + if include_all_fields: + document["agent"]["groups"] = [f"group{random.randint(1, 5)}"], + document["command"]["status"] = random.choice( + ["pending", "sent", "success", "failure"]) + document["command"]["result"] = { + "code": random.randint(0, 255), + "message": f"Result message {random.randint(1, 1000)}", + "data": f"Result data {random.randint(1, 100)}" + } + # Generate UUIDs for request_id and order_id + document["command"]["request_id"] = str(uuid.uuid4()) + document["command"]["order_id"] = str(uuid.uuid4()) + + return document + + +def generate_random_data(number, include_all_fields=False): + data = [] + for _ in range(number): + data.append(generate_random_command(include_all_fields)) + return data + + +def inject_events(ip, port, index, username, password, data, use_index=False): + session = requests.Session() + session.auth = (username, password) + session.verify = False + headers = {'Content-Type': 'application/json'} + + try: + for event_data in data: + if use_index: + # Generate UUIDs for the document id + doc_id = str(uuid.uuid4()) + url = f'https://{ip}:{port}/{index}/_doc/{doc_id}' + else: + # Default URL for command manager API without the index + url = f'https://{ip}:{port}/_plugins/_commandmanager' + + response = session.post(url, json=event_data, headers=headers) + if response.status_code != 201: + logging.error(f'Error: {response.status_code}') + logging.error(response.text) + break + logging.info('Data injection completed successfully.') + except Exception as e: + logging.error(f'Error: {str(e)}') + + +def main(): + parser = argparse.ArgumentParser( + description="Generate and optionally inject events into an OpenSearch index or Command Manager." + ) + parser.add_argument( + "--index", + action="store_true", + help="Generate additional fields for indexing and inject into a specific index." + ) + args = parser.parse_args() + + try: + number = int(input("How many events do you want to generate? ")) + except ValueError: + logging.error("Invalid input. Please enter a valid number.") + return + + logging.info(f"Generating {number} events...") + data = generate_random_data(number, include_all_fields=args.index) + + with open(GENERATED_DATA_FILE, 'a') as outfile: + for event_data in data: + json.dump(event_data, outfile) + outfile.write('\n') + + logging.info('Data generation completed.') + + inject = input( + "Do you want to inject the generated data into your indexer/command manager? (y/n) " + ).strip().lower() + if inject == 'y': + ip = input("Enter the IP of your Indexer: ") + port = input("Enter the port of your Indexer: ") + + if args.index: + index = input("Enter the index name: ") + else: + index = None + + username = input("Username: ") + password = input("Password: ") + + inject_events(ip, port, index, username, password, + data, use_index=args.index) + + +if __name__ == "__main__": + main() diff --git a/ecs/command/fields/custom/agent.yml b/ecs/command/fields/custom/agent.yml new file mode 100644 index 0000000000000..17b6f7324d830 --- /dev/null +++ b/ecs/command/fields/custom/agent.yml @@ -0,0 +1,12 @@ +--- +- name: agent + title: Wazuh Agents + short: Wazuh Inc. custom fields. + type: group + group: 2 + fields: + - name: groups + type: keyword + level: custom + description: > + The groups the agent belongs to. \ No newline at end of file diff --git a/ecs/command/fields/custom/command.yml b/ecs/command/fields/custom/command.yml new file mode 100644 index 0000000000000..749f49fe23835 --- /dev/null +++ b/ecs/command/fields/custom/command.yml @@ -0,0 +1,79 @@ +--- +- name: command + title: Wazuh commands + short: Wazuh Inc. custom fields. + description: > + This index stores information about the Wazuh's commands. These commands can be sent to agents or Wazuh servers. + type: group + group: 2 + fields: + - name: source + type: keyword + level: custom + description: > + Origin of the request. + - name: user + type: keyword + level: custom + description: > + The user that originated the request. + - name: target.id + type: keyword + level: custom + description: > + Unique identifier of the destination to send the command to. + - name: target.type + type: keyword + level: custom + description: > + The destination type. One of [`group`, `agent`, `server`] + - name: action.name + type: keyword + level: custom + description: > + The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... + - name: action.args + type: keyword + level: custom + description: > + Array of command arguments, starting with the absolute path to the executable. + - name: action.version + type: keyword + level: custom + description: > + Version of the command's schema. + - name: timeout + type: short + level: custom + description: > + Time window in which the command has to be sent to its target. + - name: status + type: keyword + level: custom + description: > + Status within the Command Manager's context. One of ['pending', 'sent', 'success', 'failure']. + - name: result.code + type: short + level: custom + description: > + Status code returned by the target. + - name: result.message + type: keyword + level: custom + description: > + Result message returned by the target. + - name: result.data + type: keyword + level: custom + description: > + Result data returned by the target. + - name: request_id + type: keyword + level: custom + description: > + UUID generated by the Command Manager. + - name: order_id + type: keyword + level: custom + description: > + UUID generated by the Command Manager. diff --git a/ecs/command/fields/mapping-settings.json b/ecs/command/fields/mapping-settings.json new file mode 100644 index 0000000000000..0ad2b48fcc1be --- /dev/null +++ b/ecs/command/fields/mapping-settings.json @@ -0,0 +1,4 @@ +{ + "dynamic": "strict", + "date_detection": false +} \ No newline at end of file diff --git a/ecs/command/fields/subset.yml b/ecs/command/fields/subset.yml new file mode 100644 index 0000000000000..80cf43234f2c1 --- /dev/null +++ b/ecs/command/fields/subset.yml @@ -0,0 +1,11 @@ +--- +name: command +fields: + base: + fields: + tags: [] + agent: + fields: + groups: {} + command: + fields: "*" diff --git a/ecs/command/fields/template-settings-legacy.json b/ecs/command/fields/template-settings-legacy.json new file mode 100644 index 0000000000000..75ef7b40f81f8 --- /dev/null +++ b/ecs/command/fields/template-settings-legacy.json @@ -0,0 +1,20 @@ +{ + "index_patterns": [ + ".commands*" + ], + "order": 1, + "settings": { + "index": { + "hidden": true, + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "command.source", + "command.target.type", + "command.status", + "command.action.name" + ] + } + } +} \ No newline at end of file diff --git a/ecs/command/fields/template-settings.json b/ecs/command/fields/template-settings.json new file mode 100644 index 0000000000000..70b65197303ad --- /dev/null +++ b/ecs/command/fields/template-settings.json @@ -0,0 +1,22 @@ +{ + "index_patterns": [ + ".commands*" + ], + "priority": 1, + "template": { + "settings": { + "index": { + "hidden": true, + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "command.source", + "command.target.type", + "command.status", + "command.action.name" + ] + } + } + } +} \ No newline at end of file diff --git a/ecs/generate.sh b/ecs/generate.sh new file mode 100755 index 0000000000000..7b860256f0936 --- /dev/null +++ b/ecs/generate.sh @@ -0,0 +1,118 @@ +#!/bin/bash + +set -e +set -u + +# Function to display usage information +show_usage() { + echo "Usage: $0 [--upload ]" + echo " * ECS_VERSION: ECS version to generate mappings for" + echo " * INDEXER_SRC: Path to the wazuh-indexer repository" + echo " * MODULE: Module to generate mappings for" + echo " * --upload : Upload generated index template to the OpenSearch cluster. Defaults to https://localhost:9200" + echo "Example: $0 v8.10.0 ~/wazuh-indexer vulnerability-detector --upload https://indexer:9200" +} + +# Function to remove multi-fields from the generated index template +remove_multi_fields() { + local IN_FILE="$1" + local OUT_FILE="$2" + + jq 'del( + .mappings.properties.host.properties.os.properties.full.fields, + .mappings.properties.host.properties.os.properties.name.fields, + .mappings.properties.vulnerability.properties.description.fields + )' "$IN_FILE" > "$OUT_FILE" +} + + +# Function to generate mappings +generate_mappings() { + local IN_FILES_DIR="$INDEXER_SRC/ecs/$MODULE/fields" + local OUT_DIR="$INDEXER_SRC/ecs/$MODULE/mappings/$ECS_VERSION" + + # Ensure the output directory exists + mkdir -p "$OUT_DIR" || exit 1 + + # Generate mappings + python scripts/generator.py --strict --ref "$ECS_VERSION" \ + --include "$IN_FILES_DIR/custom/" \ + --subset "$IN_FILES_DIR/subset.yml" \ + --template-settings "$IN_FILES_DIR/template-settings.json" \ + --template-settings-legacy "$IN_FILES_DIR/template-settings-legacy.json" \ + --mapping-settings "$IN_FILES_DIR/mapping-settings.json" \ + --out "$OUT_DIR" || exit 1 + + # Replace "constant_keyword" type (not supported by OpenSearch) with "keyword" + echo "Replacing \"constant_keyword\" type with \"keyword\"" + find "$OUT_DIR" -type f -exec sed -i 's/constant_keyword/keyword/g' {} \; + + # Replace "flattened" type (not supported by OpenSearch) with "flat_object" + echo "Replacing \"flattened\" type with \"flat_object\"" + find "$OUT_DIR" -type f -exec sed -i 's/flattened/flat_object/g' {} \; + + # Replace "scaled_float" type with "float" + echo "Replacing \"scaled_float\" type with \"float\"" + find "$OUT_DIR" -type f -exec sed -i 's/scaled_float/float/g' {} \; + echo "Removing scaling_factor lines" + find "$OUT_DIR" -type f -exec sed -i '/scaling_factor/d' {} \; + + local IN_FILE="$OUT_DIR/generated/elasticsearch/legacy/template.json" + local OUT_FILE="$OUT_DIR/generated/elasticsearch/legacy/template-tmp.json" + + # Delete the "tags" field from the index template + echo "Deleting the \"tags\" field from the index template" + jq 'del(.mappings.properties.tags)' "$IN_FILE" > "$OUT_FILE" + mv "$OUT_FILE" "$IN_FILE" + + # Remove multi-fields from the generated index template + echo "Removing multi-fields from the index template" + remove_multi_fields "$IN_FILE" "$OUT_FILE" + mv "$OUT_FILE" "$IN_FILE" + + # Transform legacy index template for OpenSearch compatibility + cat "$IN_FILE" | jq '{ + "index_patterns": .index_patterns, + "priority": .order, + "template": { + "settings": .settings, + "mappings": .mappings + } + }' >"$OUT_DIR/generated/elasticsearch/legacy/opensearch-template.json" + + # Check if the --upload flag has been provided + if [ "$UPLOAD" == "--upload" ]; then + upload_mappings "$OUT_DIR" "$URL" || exit 1 + fi + + echo "Mappings saved to $OUT_DIR" +} + +# Function to upload generated composable index template to the OpenSearch cluster +upload_mappings() { + local OUT_DIR="$1" + local URL="$2" + + echo "Uploading index template to the OpenSearch cluster" + for file in "$OUT_DIR/generated/elasticsearch/composable/component"/*.json; do + component_name=$(basename "$file" .json) + echo "Uploading $component_name" + curl -u admin:admin -X PUT "$URL/_component_template/$component_name?pretty" -H 'Content-Type: application/json' -d@"$file" || exit 1 + done +} + +# Check if the minimum required arguments have been provided +if [ $# -lt 3 ]; then + show_usage + exit 1 +fi + +# Parse command line arguments +ECS_VERSION="$1" +INDEXER_SRC="$2" +MODULE="$3" +UPLOAD="${4:-false}" +URL="${5:-https://localhost:9200}" + +# Generate mappings +generate_mappings "$ECS_VERSION" "$INDEXER_SRC" "$MODULE" "$UPLOAD" "$URL" diff --git a/ecs/states-fim/fields/custom/agent.yml b/ecs/states-fim/fields/custom/agent.yml new file mode 100644 index 0000000000000..17b6f7324d830 --- /dev/null +++ b/ecs/states-fim/fields/custom/agent.yml @@ -0,0 +1,12 @@ +--- +- name: agent + title: Wazuh Agents + short: Wazuh Inc. custom fields. + type: group + group: 2 + fields: + - name: groups + type: keyword + level: custom + description: > + The groups the agent belongs to. \ No newline at end of file diff --git a/ecs/states-fim/fields/mapping-settings.json b/ecs/states-fim/fields/mapping-settings.json new file mode 100644 index 0000000000000..0ad2b48fcc1be --- /dev/null +++ b/ecs/states-fim/fields/mapping-settings.json @@ -0,0 +1,4 @@ +{ + "dynamic": "strict", + "date_detection": false +} \ No newline at end of file diff --git a/ecs/states-fim/fields/subset.yml b/ecs/states-fim/fields/subset.yml new file mode 100644 index 0000000000000..00be04f87e645 --- /dev/null +++ b/ecs/states-fim/fields/subset.yml @@ -0,0 +1,36 @@ +--- +name: wazuh-states-fim +fields: + base: + fields: + tags: [] + agent: + fields: + id: {} + groups: {} + file: + fields: + attributes: {} + name: {} + path: {} + gid: {} + group: {} + inode: {} + hash: + fields: + md5: {} + sha1: {} + sha256: {} + mtime: {} + mode: {} + size: {} + target_path: {} + type: {} + uid: {} + owner: {} + registry: + fields: + key: {} + value: {} + + diff --git a/ecs/states-fim/fields/template-settings-legacy.json b/ecs/states-fim/fields/template-settings-legacy.json new file mode 100644 index 0000000000000..91c05d65c44cf --- /dev/null +++ b/ecs/states-fim/fields/template-settings-legacy.json @@ -0,0 +1,21 @@ +{ + "index_patterns": ["wazuh-states-fim*"], + "order": 1, + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "file.name", + "file.path", + "file.target_path", + "file.group", + "file.uid", + "file.gid" + ] + } + } +} diff --git a/ecs/states-fim/fields/template-settings.json b/ecs/states-fim/fields/template-settings.json new file mode 100644 index 0000000000000..4ecb7b7d3831c --- /dev/null +++ b/ecs/states-fim/fields/template-settings.json @@ -0,0 +1,23 @@ +{ + "index_patterns": ["wazuh-states-fim*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "file.name", + "file.path", + "file.target_path", + "file.group", + "file.uid", + "file.gid" + ] + } + } + } +} diff --git a/ecs/states-inventory-packages/fields/custom/agent.yml b/ecs/states-inventory-packages/fields/custom/agent.yml new file mode 100644 index 0000000000000..3482123af637a --- /dev/null +++ b/ecs/states-inventory-packages/fields/custom/agent.yml @@ -0,0 +1,12 @@ +--- +- name: agent + title: Wazuh Agents + short: Wazuh Inc. custom fields. + type: group + group: 2 + fields: + - name: groups + type: keyword + level: custom + description: > + The groups the agent belongs to. diff --git a/ecs/states-inventory-packages/fields/mapping-settings.json b/ecs/states-inventory-packages/fields/mapping-settings.json new file mode 100644 index 0000000000000..0ad2b48fcc1be --- /dev/null +++ b/ecs/states-inventory-packages/fields/mapping-settings.json @@ -0,0 +1,4 @@ +{ + "dynamic": "strict", + "date_detection": false +} \ No newline at end of file diff --git a/ecs/states-inventory-packages/fields/subset.yml b/ecs/states-inventory-packages/fields/subset.yml new file mode 100644 index 0000000000000..49028288fea80 --- /dev/null +++ b/ecs/states-inventory-packages/fields/subset.yml @@ -0,0 +1,21 @@ +--- +name: wazuh-states-inventory-packages +fields: + base: + fields: + "@timestamp": {} + tags: [] + agent: + fields: + id: {} + groups: {} + package: + fields: + architecture: "" + description: "" + installed: {} + name: "" + path: "" + size: {} + type: "" + version: "" diff --git a/ecs/states-inventory-packages/fields/template-settings-legacy.json b/ecs/states-inventory-packages/fields/template-settings-legacy.json new file mode 100644 index 0000000000000..ca085a0dad45d --- /dev/null +++ b/ecs/states-inventory-packages/fields/template-settings-legacy.json @@ -0,0 +1,19 @@ +{ + "index_patterns": ["wazuh-states-inventory-packages*"], + "order": 1, + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "package.architecture", + "package.name", + "package.version", + "package.type" + ] + } + } +} diff --git a/ecs/states-inventory-packages/fields/template-settings.json b/ecs/states-inventory-packages/fields/template-settings.json new file mode 100644 index 0000000000000..e6cd3078a8325 --- /dev/null +++ b/ecs/states-inventory-packages/fields/template-settings.json @@ -0,0 +1,21 @@ +{ + "index_patterns": ["wazuh-states-inventory-packages*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "package.architecture", + "package.name", + "package.version", + "package.type" + ] + } + } + } +} diff --git a/ecs/states-inventory-processes/fields/custom/agent.yml b/ecs/states-inventory-processes/fields/custom/agent.yml new file mode 100644 index 0000000000000..3482123af637a --- /dev/null +++ b/ecs/states-inventory-processes/fields/custom/agent.yml @@ -0,0 +1,12 @@ +--- +- name: agent + title: Wazuh Agents + short: Wazuh Inc. custom fields. + type: group + group: 2 + fields: + - name: groups + type: keyword + level: custom + description: > + The groups the agent belongs to. diff --git a/ecs/states-inventory-processes/fields/mapping-settings.json b/ecs/states-inventory-processes/fields/mapping-settings.json new file mode 100644 index 0000000000000..0ad2b48fcc1be --- /dev/null +++ b/ecs/states-inventory-processes/fields/mapping-settings.json @@ -0,0 +1,4 @@ +{ + "dynamic": "strict", + "date_detection": false +} \ No newline at end of file diff --git a/ecs/states-inventory-processes/fields/subset.yml b/ecs/states-inventory-processes/fields/subset.yml new file mode 100644 index 0000000000000..29e97c8969d86 --- /dev/null +++ b/ecs/states-inventory-processes/fields/subset.yml @@ -0,0 +1,42 @@ +--- +name: wazuh-states-inventory-processes +fields: + base: + fields: + "@timestamp": {} + tags: [] + agent: + fields: + id: {} + groups: {} + process: + fields: + pid: {} + name: "" + parent: + fields: + pid: {} + command_line: "" + args: "" + user: + fields: + id: "" + real_user: + fields: + id: "" + saved_user: + fields: + id: "" + group: + fields: + id: "" + real_group: + fields: + id: "" + saved_group: + fields: + id: "" + start: {} + thread: + fields: + id: "" diff --git a/ecs/states-inventory-processes/fields/template-settings-legacy.json b/ecs/states-inventory-processes/fields/template-settings-legacy.json new file mode 100644 index 0000000000000..0c5363d2feeb7 --- /dev/null +++ b/ecs/states-inventory-processes/fields/template-settings-legacy.json @@ -0,0 +1,18 @@ +{ + "index_patterns": ["wazuh-states-inventory-processes*"], + "order": 1, + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "process.name", + "process.pid", + "process.command_line" + ] + } + } +} diff --git a/ecs/states-inventory-processes/fields/template-settings.json b/ecs/states-inventory-processes/fields/template-settings.json new file mode 100644 index 0000000000000..15c0bc58c58ba --- /dev/null +++ b/ecs/states-inventory-processes/fields/template-settings.json @@ -0,0 +1,20 @@ +{ + "index_patterns": ["wazuh-states-inventory-processes*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "process.name", + "process.pid", + "process.command_line" + ] + } + } + } +} diff --git a/ecs/states-inventory-system/fields/custom/agent.yml b/ecs/states-inventory-system/fields/custom/agent.yml new file mode 100644 index 0000000000000..3482123af637a --- /dev/null +++ b/ecs/states-inventory-system/fields/custom/agent.yml @@ -0,0 +1,12 @@ +--- +- name: agent + title: Wazuh Agents + short: Wazuh Inc. custom fields. + type: group + group: 2 + fields: + - name: groups + type: keyword + level: custom + description: > + The groups the agent belongs to. diff --git a/ecs/states-inventory-system/fields/mapping-settings.json b/ecs/states-inventory-system/fields/mapping-settings.json new file mode 100644 index 0000000000000..0ad2b48fcc1be --- /dev/null +++ b/ecs/states-inventory-system/fields/mapping-settings.json @@ -0,0 +1,4 @@ +{ + "dynamic": "strict", + "date_detection": false +} \ No newline at end of file diff --git a/ecs/states-inventory-system/fields/subset.yml b/ecs/states-inventory-system/fields/subset.yml new file mode 100644 index 0000000000000..fe9be3affb7af --- /dev/null +++ b/ecs/states-inventory-system/fields/subset.yml @@ -0,0 +1,23 @@ +--- +name: wazuh-states-inventory-system +fields: + base: + fields: + tags: [] + "@timestamp": {} + agent: + fields: + id: {} + groups: {} + host: + fields: + architecture: {} + hostname: {} + name: {} + os: + fields: + kernel: {} + full: {} + platform: {} + version: {} + type: {} diff --git a/ecs/states-inventory-system/fields/template-settings-legacy.json b/ecs/states-inventory-system/fields/template-settings-legacy.json new file mode 100644 index 0000000000000..2d12dcaac3ce6 --- /dev/null +++ b/ecs/states-inventory-system/fields/template-settings-legacy.json @@ -0,0 +1,18 @@ +{ + "index_patterns": ["wazuh-states-inventory-system*"], + "order": 1, + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "host.name", + "host.os.type", + "host.os.version" + ] + } + } +} diff --git a/ecs/states-inventory-system/fields/template-settings.json b/ecs/states-inventory-system/fields/template-settings.json new file mode 100644 index 0000000000000..62249c19e72ea --- /dev/null +++ b/ecs/states-inventory-system/fields/template-settings.json @@ -0,0 +1,20 @@ +{ + "index_patterns": ["wazuh-states-inventory-system*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "host.name", + "host.os.type", + "host.os.version" + ] + } + } + } +} diff --git a/ecs/states-vulnerabilities/event-generator/event_generator.py b/ecs/states-vulnerabilities/event-generator/event_generator.py new file mode 100644 index 0000000000000..c973123666baa --- /dev/null +++ b/ecs/states-vulnerabilities/event-generator/event_generator.py @@ -0,0 +1,244 @@ +#!/bin/python3 + +# This script generates sample events and injects them into the Wazuh Indexer. +# The events follow the Elastic Common Schema (ECS) format, and contains the following fields: +# - agent +# - package +# - host +# - vulnerability +# - wazuh (custom) +# +# This is an ad-hoc script for the vulnerability module. Extend to support other modules. + +import datetime +import random +import json +import requests +import warnings +import logging + +# Constants and Configuration +LOG_FILE = 'generate_data.log' +GENERATED_DATA_FILE = 'generatedData.json' +DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" + +# Configure logging +logging.basicConfig(filename=LOG_FILE, level=logging.INFO) + +# Suppress warnings +warnings.filterwarnings("ignore") + + +def generate_random_date(): + start_date = datetime.datetime.now() + end_date = start_date - datetime.timedelta(days=10) + random_date = start_date + (end_date - start_date) * random.random() + return random_date.strftime(DATE_FORMAT) + + +def generate_random_agent(): + agent = { + 'build': {'original': f'build{random.randint(0, 9999)}'}, + 'id': f'agent{random.randint(0, 99)}', + 'name': f'Agent{random.randint(0, 99)}', + 'version': f'v{random.randint(0, 9)}-stable', + 'ephemeral_id': f'{random.randint(0, 99999)}', + 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']) + } + return agent + + +def generate_random_event(): + event = { + 'action': random.choice(['login', 'logout', 'create', 'delete', 'modify', 'read', 'write', 'upload', 'download', + 'copy', 'paste', 'cut', 'move', 'rename', 'open', 'close', 'execute', 'run', 'install', + 'uninstall', 'start', 'stop', 'kill', 'suspend', 'resume', 'sleep', 'wake', 'lock', + 'unlock', 'encrypt', 'decrypt', 'compress', 'decompress', 'archive', 'unarchive', + 'mount', 'unmount', 'eject', 'connect', 'disconnect', 'send', 'receive']), + 'agent_id_status': random.choice(['verified', 'mismatch', 'missing', 'auth_metadata_missing']), + 'category': random.choice(['authentication', 'authorization', 'configuration', 'communication', 'file', + 'network', 'process', 'registry', 'storage', 'system', 'web']), + 'code': f'{random.randint(0, 99999)}', + 'created': generate_random_date(), + 'dataset': random.choice(['process', 'file', 'registry', 'socket', 'dns', 'http', 'tls', 'alert', + 'authentication', 'authorization', 'configuration', 'communication', 'file', + 'network', 'process', 'registry', 'storage', 'system', 'web']), + 'duration': random.randint(0, 99999), + 'end': generate_random_date(), + 'hash': str(hash(f'hash{random.randint(0, 99999)}')), + 'id': f'{random.randint(0, 99999)}', + 'ingested': generate_random_date(), + 'kind': random.choice(['alert', 'asset', 'enrichment', 'event', 'metric', + 'state', 'pipeline_error', 'signal']), + 'module': random.choice(['process', 'file', 'registry', 'socket', 'dns', 'http', 'tls', 'alert', + 'authentication', 'authorization', 'configuration', 'communication', 'file', + 'network', 'process', 'registry', 'storage', 'system', 'web']), + 'original': f'original{random.randint(0, 99999)}', + 'outcome': random.choice(['success', 'failure', 'unknown']), + 'provider': random.choice(['process', 'file', 'registry', 'socket', 'dns', 'http', 'tls', 'alert', + 'authentication', 'authorization', 'configuration', 'communication', 'file', + 'network', 'process', 'registry', 'storage', 'system', 'web']), + 'reason': f'This event happened due to reason{random.randint(0, 99999)}', + 'reference': f'https://system.example.com/event/#{random.randint(0, 99999)}', + 'risk_score': round(random.uniform(0, 10), 1), + 'risk_score_norm': round(random.uniform(0, 10), 1), + 'sequence': random.randint(0, 10), + 'severity': random.randint(0, 10), + 'start': generate_random_date(), + 'timezone': random.choice(['UTC', 'GMT', 'PST', 'EST', 'CST', 'MST', 'PDT', 'EDT', 'CDT', 'MDT']), + 'type': random.choice(['access', 'admin', 'allowed', 'change', 'connection', 'creation', 'deletion', + 'denied', 'end', 'error', 'group', 'indicator', 'info', 'installation', 'protocol', + 'start', 'user']), + 'url': f'http://mysystem.example.com/alert/{random.randint(0, 99999)}' + } + return event + + +def generate_random_host(): + family = random.choice( + ['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']) + version = f'{random.randint(0, 99)}.{random.randint(0, 99)}' + host = { + 'os': { + 'full': f'{family} {version}', + 'kernel': f'{version}kernel{random.randint(0, 99)}', + 'name': f'{family} {version}', + 'platform': family, + 'type': random.choice(['windows', 'linux', 'macos', 'ios', 'android', 'unix']), + 'version': version + } + } + return host + + +def generate_random_labels(): + labels = { + 'label1': f'label{random.randint(0, 99)}', 'label2': f'label{random.randint(0, 99)}'} + return labels + + +def generate_random_package(): + package = { + 'architecture': random.choice(['x86', 'x64', 'arm', 'arm64']), + 'build_version': f'build{random.randint(0, 9999)}', + 'checksum': f'checksum{random.randint(0, 9999)}', + 'description': f'description{random.randint(0, 9999)}', + 'install_scope': random.choice(['user', 'system']), + 'installed': generate_random_date(), + 'license': f'license{random.randint(0, 9)}', + 'name': f'name{random.randint(0, 99)}', + 'path': f'/path/to/package{random.randint(0, 99)}', + 'reference': f'package-reference-{random.randint(0, 99)}', + 'size': random.randint(0, 99999), + 'type': random.choice(['deb', 'rpm', 'msi', 'pkg', 'app', 'apk', 'exe', 'zip', 'tar', 'gz', '7z', + 'rar', 'cab', 'iso', 'dmg', 'tar.gz', 'tar.bz2', 'tar.xz', 'tar.Z', 'tar.lz4', + 'tar.sz', 'tar.zst']), + 'version': f'v{random.randint(0, 9)}-stable' + } + return package + + +def generate_random_vulnerability(): + id = random.randint(0, 9999) + vulnerability = { + 'category': random.choice(['security', 'config', 'os', 'package', 'custom']), + 'classification': [f'classification{random.randint(0, 9999)}'], + 'description': f'description{random.randint(0, 9999)}', + 'enumeration': 'CVE', + 'id': f'CVE-{id}', + 'reference': f'https://mycve.test.org/cgi-bin/cvename.cgi?name={id}', + 'report_id': f'report-{random.randint(0, 9999)}', + 'scanner': { + 'vendor': f'vendor-{random.randint(0, 9)}', + 'source': random.choice(['NVD', 'OpenCVE', 'OpenVAS', 'Tenable']) + }, + 'score': { + 'base': round(random.uniform(0, 10), 1), + 'environmental': round(random.uniform(0, 10), 1), + 'temporal': round(random.uniform(0, 10), 1), + 'version': round(random.uniform(0, 10), 1) + }, + 'severity': random.choice(['Low', 'Medium', 'High', 'Critical']), + 'detected_at': generate_random_date(), + 'published_at': generate_random_date(), + 'under_evaluation': random.choice([True, False]) + } + return vulnerability + + +def generate_random_wazuh(): + wazuh = { + 'cluster': { + 'name': f'wazuh-cluster-{random.randint(0,10)}', + 'node': f'wazuh-cluster-node-{random.randint(0,10)}' + }, + 'schema': { + 'version': '1.7.0' + }, + } + return wazuh + + +def generate_random_data(number): + data = [] + for _ in range(number): + event_data = { + 'agent': generate_random_agent(), + 'host': generate_random_host(), + 'package': generate_random_package(), + 'vulnerability': generate_random_vulnerability(), + 'wazuh': generate_random_wazuh() + } + data.append(event_data) + return data + + +def inject_events(ip, port, index, username, password, data): + url = f'https://{ip}:{port}/{index}/_doc' + session = requests.Session() + session.auth = (username, password) + session.verify = False + headers = {'Content-Type': 'application/json'} + + try: + for event_data in data: + response = session.post(url, json=event_data, headers=headers) + if response.status_code != 201: + logging.error(f'Error: {response.status_code}') + logging.error(response.text) + break + logging.info('Data injection completed successfully.') + except Exception as e: + logging.error(f'Error: {str(e)}') + + +def main(): + try: + number = int(input("How many events do you want to generate? ").strip() or 50) + except ValueError: + logging.error("Invalid input. Please enter a valid number.") + return + + logging.info(f"Generating {number} events...") + data = generate_random_data(number) + + with open(GENERATED_DATA_FILE, 'a') as outfile: + for event_data in data: + json.dump(event_data, outfile) + outfile.write('\n') + + logging.info('Data generation completed.') + + inject = input( + "Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() + if inject == 'y': + ip = input("Enter the IP of your Indexer: ").strip() or "localhost" + port = input("Enter the port of your Indexer: ").strip() or 9200 + index = input("Enter the index name: ").strip() or "wazuh-states-vulnerability-test" + username = input("Username: ").strip() or "admin" + password = input("Password: ").strip() + inject_events(ip, port, index, username, password, data) + + +if __name__ == "__main__": + main() diff --git a/ecs/states-vulnerabilities/fields/custom/agent.yml b/ecs/states-vulnerabilities/fields/custom/agent.yml new file mode 100644 index 0000000000000..3482123af637a --- /dev/null +++ b/ecs/states-vulnerabilities/fields/custom/agent.yml @@ -0,0 +1,12 @@ +--- +- name: agent + title: Wazuh Agents + short: Wazuh Inc. custom fields. + type: group + group: 2 + fields: + - name: groups + type: keyword + level: custom + description: > + The groups the agent belongs to. diff --git a/ecs/states-vulnerabilities/fields/custom/vulnerability.yml b/ecs/states-vulnerabilities/fields/custom/vulnerability.yml new file mode 100644 index 0000000000000..ebc9d6be7cc65 --- /dev/null +++ b/ecs/states-vulnerabilities/fields/custom/vulnerability.yml @@ -0,0 +1,29 @@ +- name: vulnerability + title: Vulnerability + group: 2 + short: Fields to describe the vulnerability relevant to an event. + description: > + The vulnerability fields describe information about a vulnerability that is + relevant to an event. + type: group + fields: + - name: detected_at + type: date + level: custom + description: > + Vulnerability's detection date. + - name: published_at + type: date + level: custom + description: > + Vulnerability's publication date. + - name: under_evaluation + type: boolean + level: custom + description: > + Indicates if the vulnerability is awaiting analysis by the NVD. + - name: scanner.source + type: keyword + level: custom + description: > + The origin of the decision of the scanner (AKA feed used to detect the vulnerability). diff --git a/ecs/states-vulnerabilities/fields/custom/wazuh.yml b/ecs/states-vulnerabilities/fields/custom/wazuh.yml new file mode 100644 index 0000000000000..cbc1a38f016df --- /dev/null +++ b/ecs/states-vulnerabilities/fields/custom/wazuh.yml @@ -0,0 +1,21 @@ +--- +- name: wazuh + title: Wazuh + description: > + Wazuh Inc. custom fields + fields: + - name: cluster.name + type: keyword + level: custom + description: > + Wazuh cluster name. + - name: cluster.node + type: keyword + level: custom + description: > + Wazuh cluster node name. + - name: schema.version + type: keyword + level: custom + description: > + Wazuh schema version. diff --git a/ecs/states-vulnerabilities/fields/mapping-settings.json b/ecs/states-vulnerabilities/fields/mapping-settings.json new file mode 100644 index 0000000000000..0ad2b48fcc1be --- /dev/null +++ b/ecs/states-vulnerabilities/fields/mapping-settings.json @@ -0,0 +1,4 @@ +{ + "dynamic": "strict", + "date_detection": false +} \ No newline at end of file diff --git a/ecs/states-vulnerabilities/fields/subset.yml b/ecs/states-vulnerabilities/fields/subset.yml new file mode 100644 index 0000000000000..6b616dfb624d0 --- /dev/null +++ b/ecs/states-vulnerabilities/fields/subset.yml @@ -0,0 +1,24 @@ +--- +name: wazuh-states-vulnerabilities +fields: + base: + fields: + tags: [] + agent: + fields: "*" + package: + fields: "*" + host: + fields: + os: + fields: + full: "" + kernel: "" + name: "" + platform: "" + type: "" + version: "" + vulnerability: + fields: "*" + wazuh: + fields: "*" diff --git a/ecs/states-vulnerabilities/fields/template-settings-legacy.json b/ecs/states-vulnerabilities/fields/template-settings-legacy.json new file mode 100644 index 0000000000000..17a7bd4f6c785 --- /dev/null +++ b/ecs/states-vulnerabilities/fields/template-settings-legacy.json @@ -0,0 +1,23 @@ +{ + "index_patterns": ["wazuh-states-vulnerabilities*"], + "order": 1, + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "host.os.full", + "host.os.version", + "package.name", + "package.version", + "vulnerability.id", + "vulnerability.description", + "vulnerability.severity", + "wazuh.cluster.name" + ] + } + } +} diff --git a/ecs/states-vulnerabilities/fields/template-settings.json b/ecs/states-vulnerabilities/fields/template-settings.json new file mode 100644 index 0000000000000..901003b59b17f --- /dev/null +++ b/ecs/states-vulnerabilities/fields/template-settings.json @@ -0,0 +1,25 @@ +{ + "index_patterns": ["wazuh-states-vulnerabilities*"], + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_shards": "1", + "number_of_replicas": "0", + "refresh_interval": "5s", + "query.default_field": [ + "agent.id", + "agent.groups", + "host.os.full", + "host.os.version", + "package.name", + "package.version", + "vulnerability.id", + "vulnerability.description", + "vulnerability.severity", + "wazuh.cluster.name" + ] + } + } + } +} diff --git a/integrations/.gitignore b/integrations/.gitignore new file mode 100644 index 0000000000000..49aa039cc7e32 --- /dev/null +++ b/integrations/.gitignore @@ -0,0 +1,3 @@ +external +docker/certs +docker/config diff --git a/integrations/README.md b/integrations/README.md new file mode 100644 index 0000000000000..06fd20e3b1529 --- /dev/null +++ b/integrations/README.md @@ -0,0 +1,33 @@ +## Wazuh indexer integrations + +This folder contains integrations with third-party XDR, SIEM and cybersecurity software. +The goal is to transport Wazuh's analysis to the platform that suits your needs. + +### Amazon Security Lake + +Amazon Security Lake automatically centralizes security data from AWS environments, SaaS providers, +on premises, and cloud sources into a purpose-built data lake stored in your account. With Security Lake, +you can get a more complete understanding of your security data across your entire organization. You can +also improve the protection of your workloads, applications, and data. Security Lake has adopted the +Open Cybersecurity Schema Framework (OCSF), an open standard. With OCSF support, the service normalizes +and combines security data from AWS and a broad range of enterprise security data sources. + +Refer to these documents for more information about this integration: + +- [User Guide](./amazon-security-lake/README.md). +- [Developer Guide](./amazon-security-lake/CONTRIBUTING.md). + +### Other integrations + +We host development environments to support the following integrations: + +- [Splunk](./splunk/README.md). +- [Elasticsearch](./elastic/README.md). +- [OpenSearch](./opensearch/README.md). + +**Compatibility matrix** + +| | Wazuh | Logstash | OpenSearch | Elastic | Splunk | +| -------------- | ----- | -------- | ---------- | ------- | ------ | +| v1.0 | 4.8.1 | 8.9.0 | 2.14.0 | 8.14.3 | 9.1.4 | +| Latest version | 4.9.2 | 8.9.0 | 2.18.0 | 8.15.3 | 9.3.1 | diff --git a/integrations/amazon-security-lake/.dockerignore b/integrations/amazon-security-lake/.dockerignore new file mode 100644 index 0000000000000..891ff7a135014 --- /dev/null +++ b/integrations/amazon-security-lake/.dockerignore @@ -0,0 +1,180 @@ +wazuh-event.ocsf.json +*.parquet +Dockerfile + +# Created by https://www.toptal.com/developers/gitignore/api/python +# Edit at https://www.toptal.com/developers/gitignore?templates=python + +### Python ### +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ +cover/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +.pybuilder/ +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +# For a library or package, you might want to ignore these files since the code is +# intended to run in multiple environments; otherwise, check them in: +# .python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# poetry +# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. +# This is especially recommended for binary packages to ensure reproducibility, and is more +# commonly ignored for libraries. +# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control +#poetry.lock + +# pdm +# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. +#pdm.lock +# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it +# in version control. +# https://pdm.fming.dev/#use-with-ide +.pdm.toml + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# pytype static type analyzer +.pytype/ + +# Cython debug symbols +cython_debug/ + +# PyCharm +# JetBrains specific template is maintained in a separate JetBrains.gitignore that can +# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore +# and can be added to the global gitignore or merged into this file. For a more nuclear +# option (not recommended) you can uncomment the following to ignore the entire idea folder. +#.idea/ + +### Python Patch ### +# Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration +poetry.toml + +# ruff +.ruff_cache/ + +# LSP config files +pyrightconfig.json + +# End of https://www.toptal.com/developers/gitignore/api/python \ No newline at end of file diff --git a/integrations/amazon-security-lake/.gitignore b/integrations/amazon-security-lake/.gitignore new file mode 100644 index 0000000000000..0740f723d0c79 --- /dev/null +++ b/integrations/amazon-security-lake/.gitignore @@ -0,0 +1,179 @@ +wazuh-event.ocsf.json +*.parquet + +# Created by https://www.toptal.com/developers/gitignore/api/python +# Edit at https://www.toptal.com/developers/gitignore?templates=python + +### Python ### +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ +cover/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +.pybuilder/ +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +# For a library or package, you might want to ignore these files since the code is +# intended to run in multiple environments; otherwise, check them in: +# .python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# poetry +# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. +# This is especially recommended for binary packages to ensure reproducibility, and is more +# commonly ignored for libraries. +# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control +#poetry.lock + +# pdm +# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. +#pdm.lock +# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it +# in version control. +# https://pdm.fming.dev/#use-with-ide +.pdm.toml + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# pytype static type analyzer +.pytype/ + +# Cython debug symbols +cython_debug/ + +# PyCharm +# JetBrains specific template is maintained in a separate JetBrains.gitignore that can +# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore +# and can be added to the global gitignore or merged into this file. For a more nuclear +# option (not recommended) you can uncomment the following to ignore the entire idea folder. +#.idea/ + +### Python Patch ### +# Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration +poetry.toml + +# ruff +.ruff_cache/ + +# LSP config files +pyrightconfig.json + +# End of https://www.toptal.com/developers/gitignore/api/python \ No newline at end of file diff --git a/integrations/amazon-security-lake/CONTRIBUTING.md b/integrations/amazon-security-lake/CONTRIBUTING.md new file mode 100644 index 0000000000000..1d8132d814c73 --- /dev/null +++ b/integrations/amazon-security-lake/CONTRIBUTING.md @@ -0,0 +1,55 @@ +# Wazuh to Amazon Security Lake Integration Development Guide + +## Deployment guide on Docker + +A demo of the integration can be started using the content of this folder and Docker. Open a terminal in the `wazuh-indexer/integrations` folder and start the environment. + +```console +docker compose -f ./docker/compose.amazon-security-lake.yml up -d +``` + +This Docker Compose project will bring up these services: + +- a _wazuh-indexer_ node +- a _wazuh-dashboard_ node +- a _logstash_ node +- our [events generator](../tools/events-generator/README.md) +- an AWS Lambda Python container. + +On the one hand, the event generator will push events constantly to the indexer, to the `wazuh-alerts-4.x-sample` index by default (refer to the [events generator](../tools/events-generator/README.md) documentation for customization options). On the other hand, Logstash will query for new data and deliver it to output configured in the pipeline `indexer-to-s3`. This pipeline delivers the data to an S3 bucket, from which the data is processed using a Lambda function, to finally be sent to the Amazon Security Lake bucket in Parquet format. + +The pipeline starts automatically, but if you need to start it manually, attach a terminal to the Logstash container and start the integration using the command below: + +```console +/usr/share/logstash/bin/logstash -f /usr/share/logstash/pipeline/indexer-to-s3.conf +``` + +After 5 minutes, the first batch of data will show up in http://localhost:9444/ui/wazuh-aws-security-lake-raw. You'll need to invoke the Lambda function manually, selecting the log file to process. + +```bash +bash amazon-security-lake/invoke-lambda.sh +``` + +Processed data will be uploaded to http://localhost:9444/ui/wazuh-aws-security-lake-parquet. Click on any file to download it, and check it's content using `parquet-tools`. Just make sure of installing the virtual environment first, through [requirements.txt](./requirements.txt). + +```bash +parquet-tools show +``` + +If the `S3_BUCKET_OCSF` variable is set in the container running the AWS Lambda function, intermediate data in OCSF and JSON format will be written to a dedicated bucket. This is enabled by default, writing to the `wazuh-aws-security-lake-ocsf` bucket. Bucket names and additional environment variables can be configured editing the [compose.amazon-security-lake.yml](../docker/compose.amazon-security-lake.yml) file. + +For development or debugging purposes, you may want to enable hot-reload, test or debug on these files, by using the `--config.reload.automatic`, `--config.test_and_exit` or `--debug` flags, respectively. + +For production usage, follow the instructions in our documentation page about this matter. +See [README.md](README.md). The instructions on that section have been based on the following AWS tutorials and documentation. + +- [Tutorial: Using an Amazon S3 trigger to create thumbnail images](https://docs.aws.amazon.com/lambda/latest/dg/with-s3-tutorial.html) +- [Tutorial: Using an Amazon S3 trigger to invoke a Lambda function](https://docs.aws.amazon.com/lambda/latest/dg/with-s3-example.html) +- [Working with .zip file archives for Python Lambda functions](https://docs.aws.amazon.com/lambda/latest/dg/python-package.html) +- [Best practices for working with AWS Lambda functions](https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html) + +## Makefile + +**Docker is required**. + +The [Makefile](./Makefile) in this folder automates the generation of a zip deployment package containing the source code and the required dependencies for the AWS Lambda function. Simply run `make` and it will generate the `wazuh_to_amazon_security_lake.zip` file. The main target runs a Docker container to install the Python3 dependencies locally, and zips the source code and the dependencies together. diff --git a/integrations/amazon-security-lake/Dockerfile b/integrations/amazon-security-lake/Dockerfile new file mode 100644 index 0000000000000..2a5420e4bcfef --- /dev/null +++ b/integrations/amazon-security-lake/Dockerfile @@ -0,0 +1,17 @@ +# docker build --platform linux/amd64 --no-cache -f aws-lambda.dockerfile -t docker-image:test . +# docker run --platform linux/amd64 -p 9000:8080 docker-image:test + +# FROM public.ecr.aws/lambda/python:3.9 +FROM amazon/aws-lambda-python:3.12 + +# Copy requirements.txt +COPY requirements.aws.txt ${LAMBDA_TASK_ROOT} + +# Install the specified packages +RUN pip install -r requirements.aws.txt + +# Copy function code +COPY src ${LAMBDA_TASK_ROOT} + +# Set the CMD to your handler (could also be done as a parameter override outside of the Dockerfile) +CMD [ "lambda_function.lambda_handler" ] diff --git a/integrations/amazon-security-lake/Makefile b/integrations/amazon-security-lake/Makefile new file mode 100644 index 0000000000000..d93bcbb400e74 --- /dev/null +++ b/integrations/amazon-security-lake/Makefile @@ -0,0 +1,30 @@ + +ZIP_NAME = wazuh_to_amazon_security_lake +TARGET = package +SRC = src + +# Main target +.ONESHELL: +$(ZIP_NAME).zip: $(TARGET) $(SRC)/lambda_function.py $(SRC)/wazuh_ocsf_converter.py + @cd $(TARGET) + @zip -r ../$(ZIP_NAME).zip . + @cd ../$(SRC) + @zip ../$@ lambda_function.py wazuh_ocsf_converter.py + @zip ../$@ models -r + +$(TARGET): + docker run -v `pwd`:/src -w /src \ + python:3.12 \ + pip install \ + --platform manylinux2014_x86_64 \ + --target=$(TARGET) \ + --implementation cp \ + --python-version 3.12 \ + --only-binary=:all: \ + -r requirements.aws.txt + +clean: + @rm -rf $(TARGET) + docker run -v `pwd`:/src -w /src \ + python:3.12 \ + py3clean . \ No newline at end of file diff --git a/integrations/amazon-security-lake/README.md b/integrations/amazon-security-lake/README.md new file mode 100644 index 0000000000000..3ed15851ef17e --- /dev/null +++ b/integrations/amazon-security-lake/README.md @@ -0,0 +1,281 @@ +# Wazuh to Amazon Security Lake Integration Guide + +## Table of Contents + +- [Introduction](#introduction) +- [Prerequisites](#prerequisites) +- [Integration guide](#integration-guide) + - [Configure Amazon Security Lake](#configure-amazon-security-lake) + - [Create an AWS S3 bucket](#create-an-s3-bucket-to-store-events) + - [Configure the AWS Lambda function](#create-an-aws-lambda-function) + - [Validation](#validation) + - [Install and configure Logstash](#install-and-configure-logstash) +- [OCSF mapping](#ocsf-mapping) +- [Troubleshooting](#troubleshooting) +- [Support](#support) + +## Introduction + +### Amazon Security Lake + +Amazon Security Lake automatically centralizes security data from AWS environments, SaaS providers, on premises, and cloud sources into a purpose-built data lake stored in your account. With Security Lake, you can get a more complete understanding of your security data across your entire organization. You can also improve the protection of your workloads, applications, and data. Security Lake has adopted the Open Cybersecurity Schema Framework (OCSF), an open standard. With OCSF support, the service normalizes and combines security data from AWS and a broad range of enterprise security data sources. + +### Open Cybersecurity Schema Framework + +The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema. Vendors and other data producers can adopt and extend the schema for their specific domains. Data engineers can map differing schemas to help security teams simplify data ingestion and normalization, so that data scientists and analysts can work with a common language for threat detection and investigation. The goal is to provide an open standard, adopted in any environment, application, or solution, while complementing existing security standards and processes. + +### Wazuh Security Events + +Wazuh uses rules to monitor the events and logs in your network to detect security threats. When the events and logs meet the test criteria that is defined in the rules, an alert is created to show that a security attack or policy breach is suspected. + +**References**: + +- https://documentation.wazuh.com/current/user-manual/ruleset/getting-started.html#github-repository +- https://github.com/wazuh/wazuh/tree/master/ruleset/rules +- https://github.com/wazuh/wazuh/blob/master/extensions/elasticsearch/7.x/wazuh-template.json + +### Wazuh Security Events to Amazon Security Lake + +Wazuh Security Events can be converted to OCSF events and Parquet format, required by Amazon Security Lake, by using an AWS Lambda Python function, a Logstash instance and an AWS S3 bucket. + +A properly configured Logstash instance can send the Wazuh Security events to an AWS S3 bucket, automatically invoking the AWS Lambda function that will transform and send the events to the Amazon Security lake dedicated S3 bucket. + +The diagram below illustrates the process of converting Wazuh Security Events to OCSF events and to Parquet format for Amazon Security Lake: + +![Overview diagram of the Wazuh integration with Amazon Security Lake](./images/asl-overview.jpeg) + +## Prerequisites + +1. Amazon Security Lake is enabled. +2. At least one up and running `wazuh-indexer` instance with populated `wazuh-alerts-4.x-*` indices. +3. A Logstash instance. +4. An S3 bucket to store raw events. +5. An AWS Lambda function, using the Python 3.12 runtime. +6. (Optional) An S3 bucket to store OCSF events, mapped from raw events. + +## Integration guide + +### Configure Amazon Security Lake + +Enable Amazon Security Lake as per the [official instructions](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html). + +#### Create a custom source for Wazuh + +Follow the [official documentation](https://docs.aws.amazon.com/security-lake/latest/userguide/custom-sources.html) to register Wazuh as a custom source. + +To create the custom source: + +1. From the Amazon Security Lake console, click on _Custom Sources_. +2. Click on the _Create custom source_ button. +3. Enter "Wazuh" as the _Data source name_. +4. Select "Security Finding" as the _OCSF Event class_. +5. For _AWS account with permission to write data_, enter the AWS account ID and External ID of the custom source that will write logs and events to the data lake. +6. For _Service Access_, create and use a new service role or use an existing service role that gives Security Lake permission to invoke AWS Glue. + ![*Custom source* creation form](./images/asl-custom-source-form.jpeg) +7. Choose _Create_. Upon creation, Amazon Security Lake automatically creates an AWS Service Role with permissions to push files into the Security Lake bucket, under the proper prefix named after the custom source name. An AWS Glue Crawler is also created to populate the AWS Glue Data Catalog automatically. + ![*Custom source* after creation](./images/asl-custom-source.jpeg) +8. Finally, collect the S3 bucket details, as these will be needed in the next step. Make sure you have the following information: + - The Amazon Security Lake S3 region. + - The S3 bucket name (e.g, `aws-security-data-lake-us-east-1-AAABBBCCCDDD`). + +### Create an S3 bucket to store events + +Follow the [official documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) to create an S3 bucket within your organization. Use a descriptive name, for example: `wazuh-aws-security-lake-raw`. + +### Create an AWS Lambda function + +Follow the [official documentation](https://docs.aws.amazon.com/lambda/latest/dg/getting-started.html) to create an AWS Lambda: + +- Select Python 3.12 as the runtime. +- Configure the runtime to have 512 MB of memory and 30 seconds timeout. +- Configure a trigger so every object with `.txt` extension uploaded to the S3 bucket created previously invokes the Lambda. + ![AWS Lambda trigger](./images/asl-lambda-trigger.jpeg) +- Use the [Makefile](./Makefile) to generate the zip package `wazuh_to_amazon_security_lake.zip`, and upload it to the S3 bucket created previously as per [these instructions](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-package.html#gettingstarted-package-zip). See [CONTRIBUTING](./CONTRIBUTING.md) for details about the Makefile. +- Configure the Lambda with the at least the required _Environment Variables_ below: + + | Environment variable | Required | Value | + | -------------------- | -------- | -------------------------------------------------------------------------------------------------- | + | AWS_BUCKET | True | The name of the Amazon S3 bucket in which Security Lake stores your custom source data | + | SOURCE_LOCATION | True | The _Data source name_ of the _Custom Source_ | + | ACCOUNT_ID | True | Enter the ID that you specified when creating your Amazon Security Lake custom source | + | REGION | True | AWS Region to which the data is written | + | S3_BUCKET_OCSF | False | S3 bucket to which the mapped events are written | + | OCSF_CLASS | False | The OCSF class to map the events into. Can be "SECURITY_FINDING" (default) or "DETECTION_FINDING". | + +### Validation + +To validate that the Lambda function works as it should, add the sample events below to the `sample.txt` file and upload it to the S3 bucket. + +``` +{"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"timestamp":"2024-04-22T14:20:46.976+0000","rule":{"mail":false,"gdpr":["IV_30.1.g"],"groups":["audit","audit_command"],"level":3,"firedtimes":1,"id":"80791","description":"Audit: Command: /usr/sbin/crond"},"location":"","agent":{"id":"004","ip":"47.204.15.21","name":"Ubuntu"},"data":{"audit":{"type":"NORMAL","file":{"name":"/etc/sample/file"},"success":"yes","command":"cron","exe":"/usr/sbin/crond","cwd":"/home/wazuh"}},"predecoder":{},"manager":{"name":"wazuh-manager"},"id":"1580123327.49031","decoder":{},"@version":"1","@timestamp":"2024-04-22T14:20:46.976Z"} +{"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"timestamp":"2024-04-22T14:22:03.034+0000","rule":{"mail":false,"gdpr":["IV_30.1.g"],"groups":["audit","audit_command"],"level":3,"firedtimes":1,"id":"80790","description":"Audit: Command: /usr/sbin/bash"},"location":"","agent":{"id":"007","ip":"24.273.97.14","name":"Debian"},"data":{"audit":{"type":"PATH","file":{"name":"/bin/bash"},"success":"yes","command":"bash","exe":"/usr/sbin/bash","cwd":"/home/wazuh"}},"predecoder":{},"manager":{"name":"wazuh-manager"},"id":"1580123327.49031","decoder":{},"@version":"1","@timestamp":"2024-04-22T14:22:03.034Z"} +{"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"timestamp":"2024-04-22T14:22:08.087+0000","rule":{"id":"1740","mail":false,"description":"Sample alert 1","groups":["ciscat"],"level":9},"location":"","agent":{"id":"006","ip":"207.45.34.78","name":"Windows"},"data":{"cis":{"rule_title":"CIS-CAT 5","timestamp":"2024-04-22T14:22:08.087+0000","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","result":"notchecked","pass":52,"fail":0,"group":"Access, Authentication and Authorization","unknown":61,"score":79,"notchecked":1,"@timestamp":"2024-04-22T14:22:08.087+0000"}},"predecoder":{},"manager":{"name":"wazuh-manager"},"id":"1580123327.49031","decoder":{},"@version":"1","@timestamp":"2024-04-22T14:22:08.087Z"} +``` + +A successful execution of the Lambda function will map these events into the OCSF Security Finding Class and write them to the Amazon Security Lake S3 bucket in Paquet format, properly partitioned based on the Custom Source name, Account ID, AWS Region and date, as described in the [official documentation](https://docs.aws.amazon.com/security-lake/latest/userguide/custom-sources.html#custom-sources-best-practices). + +### Install and configure Logstash + +Install Logstash on a dedicated server or on the server hosting the `wazuh-indexer`. Logstash forwards the data from the `wazuh-indexer` to the [AWS S3 bucket created previously](#create-an-s3-bucket-to-store-events). + +1. Follow the [official documentation](https://www.elastic.co/guide/en/logstash/current/installing-logstash.html) to install Logstash. +2. Install the [logstash-input-opensearch](https://github.com/opensearch-project/logstash-input-opensearch) plugin and the [logstash-output-s3](https://www.elastic.co/guide/en/logstash/8.13/plugins-outputs-s3.html) plugin (this one is installed by default in most cases). + + ```console + sudo /usr/share/logstash/bin/logstash-plugin install logstash-input-opensearch + ``` + +3. Copy the `wazuh-indexer` root certificate on the Logstash server, to any folder of your choice (e.g, `/usr/share/logstash/root-ca.pem`). +4. Give the `logstash` user the required permissions to read the certificate. + + ```console + sudo chmod -R 755 /root-ca.pem + ``` + +#### Configure the Logstash pipeline + +A [Logstash pipeline](https://www.elastic.co/guide/en/logstash/current/configuration.html) allows Logstash to use plugins to read the data from the `wazuh-indexer`and send them to an AWS S3 bucket. + +The Logstash pipeline requires access to the following secrets: + +- `wazuh-indexer` credentials: `INDEXER_USERNAME` and `INDEXER_PASSWORD`. +- AWS credentials for the account with permissions to write to the S3 bucket: `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. +- AWS S3 bucket details: `AWS_REGION` and `S3_BUCKET` (bucket name). + +1. Use the [Logstash keystore](https://www.elastic.co/guide/en/logstash/current/keystore.html) to securely store these values. + + +2. Create the configuration file `indexer-to-s3.conf` in the `/etc/logstash/conf.d/` folder: + + ```console + sudo touch /etc/logstash/conf.d/indexer-to-s3.conf + ``` + +3. Add the following configuration to the `indexer-to-s3.conf` file. + + ```console + input { + opensearch { + hosts => [":9200"] + user => "${INDEXER_USERNAME}" + password => "${INDEXER_PASSWORD}" + ssl => true + ca_file => "/root-ca.pem" + index => "wazuh-alerts-4.x-*" + query => '{ + "query": { + "range": { + "@timestamp": { + "gt": "now-5m" + } + } + } + }' + schedule => "*/5 * * * *" + } + } + + output { + stdout { + id => "output.stdout" + codec => json_lines + } + s3 { + id => "output.s3" + access_key_id => "${AWS_ACCESS_KEY_ID}" + secret_access_key => "${AWS_SECRET_ACCESS_KEY}" + region => "${AWS_REGION}" + bucket => "${S3_BUCKET}" + codec => "json_lines" + retry_count => 0 + validate_credentials_on_root_bucket => false + prefix => "%{+YYYY}%{+MM}%{+dd}" + server_side_encryption => true + server_side_encryption_algorithm => "AES256" + additional_settings => { + "force_path_style" => true + } + time_file => 5 + } + } + ``` + +#### Running Logstash + +1. Once you have everything set, run Logstash from the CLI with your configuration: + + ```console + sudo systemctl stop logstash + sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/indexer-to-s3.conf --path.settings /etc/logstash --config.test_and_exit + ``` + +2. After confirming that the configuration loads correctly without errors, run Logstash as a service. + + ```console + sudo systemctl enable logstash + sudo systemctl start logstash + ``` + +## OCSF Mapping + +The integration maps Wazuh Security Events to the **OCSF v1.1.0** [Security Finding (2001)](https://schema.ocsf.io/classes/security_finding) Class. +The tables below represent how the Wazuh Security Events are mapped into the OCSF Security Finding Class. + +> **NOTE**: This does not reflect any transformations or evaluations of the data. Some data evaluation and transformation will be necessary for a correct representation in OCSF that matches all requirements. + +### Metadata + +| **OCSF Key** | **OCSF Value Type** | **Value** | +| ---------------------------- | ------------------- | ------------------ | +| category_uid | Integer | 2 | +| category_name | String | "Findings" | +| class_uid | Integer | 2001 | +| class_name | String | "Security Finding" | +| type_uid | Long | 200101 | +| metadata.product.name | String | "Wazuh" | +| metadata.product.vendor_name | String | "Wazuh, Inc." | +| metadata.product.version | String | "4.9.1" | +| metadata.product.lang | String | "en" | +| metadata.log_name | String | "Security events" | +| metadata.log_provider | String | "Wazuh" | + +#### Security events + +| **OCSF Key** | **OCSF Value Type** | **Wazuh Event Value** | +| ---------------------- | ------------------- | -------------------------------------- | +| activity_id | Integer | 1 | +| time | Timestamp | timestamp | +| message | String | rule.description | +| count | Integer | rule.firedtimes | +| finding.uid | String | id | +| finding.title | String | rule.description | +| finding.types | String Array | input.type | +| analytic.category | String | rule.groups | +| analytic.name | String | decoder.name | +| analytic.type | String | "Rule" | +| analytic.type_id | Integer | 1 | +| analytic.uid | String | rule.id | +| risk_score | Integer | rule.level | +| attacks.tactic.name | String | rule.mitre.tactic | +| attacks.technique.name | String | rule.mitre.technique | +| attacks.technique.uid | String | rule.mitre.id | +| attacks.version | String | "v13.1" | +| nist | String Array | rule.nist_800_53 | +| severity_id | Integer | convert(rule.level) | +| status_id | Integer | 99 | +| resources.name | String | agent.name | +| resources.uid | String | agent.id | +| data_sources | String Array | ['_index', 'location', 'manager.name'] | +| raw_data | String | full_log | + +## Troubleshooting + +| **Issue** | **Resolution** | +| --------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| The Wazuh alert data is available in the Amazon Security Lake S3 bucket, but the Glue Crawler fails to parse the data into the Security Lake. | This issue typically occurs when the custom source that is created for the integration is using the wrong event class. Make sure you create the custom source with the Security Finding event class. | + +## Support + +The integration guide is an open source project and not a Wazuh product. As such, it carries no formal support, expressed, or implied. If you encounter any issues while deploying the integration guide, you can create an issue on our GitHub repository for bugs, enhancements, or other requests. + +Amazon Security Lake is an AWS product. As such, any questions or problems you experience with this service should be handled through a support ticket with AWS Support. diff --git a/integrations/amazon-security-lake/aws-lambda.dockerfile b/integrations/amazon-security-lake/aws-lambda.dockerfile new file mode 100644 index 0000000000000..7039c2b935de8 --- /dev/null +++ b/integrations/amazon-security-lake/aws-lambda.dockerfile @@ -0,0 +1,17 @@ +# docker build --platform linux/amd64 --no-cache -f aws-lambda.dockerfile -t docker-image:test . +# docker run --platform linux/amd64 -p 9000:8080 docker-image:test + +# FROM public.ecr.aws/lambda/python:3.9 +FROM amazon/aws-lambda-python:3.12 + +# Copy requirements.txt +COPY requirements.aws.txt ${LAMBDA_TASK_ROOT} + +# Install the specified packages +RUN pip install -r requirements.aws.txt + +# Copy function code +COPY src ${LAMBDA_TASK_ROOT} + +# Set the CMD to your handler (could also be done as a parameter override outside of the Dockerfile) +CMD [ "lambda_function.lambda_handler" ] \ No newline at end of file diff --git a/integrations/amazon-security-lake/images/asl-custom-source-form.jpeg b/integrations/amazon-security-lake/images/asl-custom-source-form.jpeg new file mode 100644 index 0000000000000000000000000000000000000000..c14d960f7370d3bb976765d3931e5c5e5c0c25ae GIT binary patch literal 59572 zcmeFZ1yEewwl3O8aDuys#wECG2p%j1hXBE)akmZ-Bm~#s?yilyySoGr?ryjLfA6|` z|NB&(d)}$K=hdsX7d5FKYc-2C=J@8EV|-)G^)mnR3xFvnB`XDhfdK$upg(|@C4d9~ z2>}5S;S~}hA|f&}5(*kFIvOe}8WA=Q1}+&f1vwcpDJdn8m5%ZaGc_qGJud?@8#@;l z7X=-^Fdv5yD<>DnA2)$PMn*+^bjc@X&92L$3qiv0hR=Hypl5xbLDe zD?5;>IX|A_eQ}sT!3T1!)13XG+Mk;J*A(;nZ)x_w75j%?ivTn@7^v~!umGZfqqcP! zH`QlPOZ}TC@NJUlU!=<dMm(#hb?$kY7C>*=&}v)x@7r-qrtWuTlI}^kDfD%Kz@Vf9}hFciq2H2VHmmJz)Pn_5FLU`}Z>O$1=gH zB8eMgSbgJ^HNBHf5 z9&O@AI<{Lxcf#54Sr2XVM(5oHy7;55i(JabZJty1C6P6Mx$Ea9a1z21_~3s2_;)!+ z`UY(|!8b3hVwT#7^z41w*%djFS+V^F`zGM8v~Oy~YlLoDU;UL|>*uoaJGiO)!$a4|&xjlW?(Ko=XD(3M19I?^ca1 zr>D?G9w$$0Z+?aCJYJ*4Y(lA(`B@=4?O5}$ zEagS00ZPYd`eWP+fCStCb(b?fYB#y-+P+^ivmL+GE}Ofy@QFuvg6pi7VdqGjTXl=7nU-(-3On+4LJ&#EPpj)oyamnkg^m47aR(+D{2x zJD9;Cac)KeXoM749Z;kdDn9z_^|Xt{wjC~<9_c2 zP*uy}`wCY@>=mv$&iICic3HcRMAv@)m|lD0!TUe|-0-CF9{rR#kYL zHS1#x?#5fLuIuRR!3zMeT=!aNlZecs^45=_RzBOzCH`ENSdzNPm-ZS3iKIGQd*8X@P?y50d~pS64{KQ*(mMjlXpWAj$8CG4-7LfHu=n2 zU(4}>sLrWSW1Wv{|)toFnWQb(~D6 zxhyR2Fu)TkWJ&vI=W3!Q_9$YcI`F0?2LwLw^f3*y2}p`SNKTdiIce5H`JCKH2dO{DuJb?*DDjl-eP*tqe1rqrtD zbcwbgnQ0SFarPw>hc&ksK*jTBDEZX{)bN@&1d9Q^rQCtZ*XGY-#6pwHOngITD7aYj z&Lgs{5cCq>Jg2C%Zo1U%f-Zc(V}mgNiN@iU+0h$I6-|f;<&tedOKDv9nvn*AQjDQ9 zX}BgYh4_(N(jES6pn}Lz*>3RAwOc1X3VZy+EnHN%ZibUhO#xQMmpx}gbO0J(@8!u_q)1h;z zr$y4ntEgYm2*O4QHtR0{uV_(i8e~bmj4+vj1rBY-v_b=C5^5A(d0Tpevmp|L;@62} zeU(KXJmoagQxF1(XRF0#}zfxknp zRz^j&0rOc6^UX@vVK$44s9K*#tyDylYmAM3%6{y2#;sY&h?&RXF!keaIpwN| zSn1S-j_XaL98SxSowq`oLwVxvX8Fr;@lIhM3fKmfR00q7PG(D&Z}UcHjY#WmjD|j0 z%uAtkG-WuZVN7uycJ6HB1vqas32N!d@O%f5y znsL-{1{>el7Ylb^pOEgL9{i8<%lhsb3|1JAwN8XS_5sk5IlmF}jGascUnOhniW?;p z)yyFUS9WopVn+CAvEbVv`DOVwX>?{+I&eFQB%qE86I(A(3c(%swpkqQrr3fkbuR(M zM?tL~buxe%S2t%=5 zV(OtGsVlB>jVoeNWw(V7!VDKl7kSi1;Zco|otc2ARv#4+zX>+En5djL#J9Yr4O`Dr z;BD|uWo1hP0j~?f3=KAq52$Rp%sap(RynlcQoy(Q@9MTu}hi^?2oIiXzPEQn_a7esV2R*!8(F zMczvw&`K0Ufo==2p5o`x7yW>1*92n2wq^pJSr4UaqfUdq#6E06!=p zA8Ip8pBl_qc9WgH!T6pBd}i-E&~{R7!t)EE&tdx)P{D?m<7bMb0tJlEbe0=XXd-bc zWw(5nH}hKzM}8Gsc_NX>#+5qjd@&BcYOv6KI$?VOVA?#VwlEcC{qQ9vcU{m1;d>xt;&RBKo#c|*f7>}MPI89YI@ z&-z>BUGf&UcXxNyq5kR5JE22*1EUh6~DhnHn72JEJ-Hw$z%Qq!rUY`8|(y zFTTf?Mt!fYt_6c8e)MMZcuqy~by1^*b?MZj|NP(xZ&T~owo3&~03&2Ha?kf;m0p%k+e->Ip(tn^v3 z((?7^clWK3sWYe-mwvjjHz72!sJ}U-et0cL+9L@;18UsU_>cj=~1 z{MxB#f9EIn^77qhGb+1#n$=9<;ng>jYQ`Zlm8e;QOlV$5&BuK@mezyz^9QGBXu*Nx~ELU72xsciBH_bghZ+L$t^f?2EPun`~n!> zENiPMKgmzq?G}&;*Gzju=@ho0X|xO4brH1V&r^7caVOom=<%?QsX>MRNZsoTFj$~= zUzUXv3QsMr$x14>(#g-iLmqEA0eORmHz9i*y23quAx;A{(QdS$vJg=xC4jB4<3V4G z)`LxC!p+B?4FzWHmDH*B^K5LF06`tMUNJK9vaArrD)1zf{-Y{laejmz3q4w_-wkbn zYzM7mJE9D_UHBUf6bDH5ZN5hbdWb>UwLx-Ni~8d3gi+zQNaxcrsYNh?Vq+g>OL6nH zMs)5UgA_yjl_2GJvCgK`ul&*3sjU(WGIOlq5sN)Hr(OUvA0{r{oPL<9nZ|FZwt5CV zOhO8;uSJ$#ZG=8;m2m$Oy1Q>x|_v8wXZsO*B zitR>PsZaY96E(`76sV8nUN?K1T#x&Hbhywwi)R@yI=o3uN^X@8ogK!O+)R#4E29NZ zZg1)yn2QYi<2cjxW1pQG=>k6-jw?$n=fk9&;h9>~pW3(Jpe zn+uLnNP@K~m##zY9Q!D=GtJhuN@;2hi}1t82Mr|vcdq`^yD2z&EVzM=aGmJaRsjzl zIg=x#gA+R6!iWUO68nVj3RxdnSeC0}3OS@*Dt~lqN}tHxsHP`~hB-N@)@$w_3$fAa zY!i6Cn(0=>SlKllwx3JcEH&5MOaIa`&FXdZ0I+J`sK2H=)Ifj|2`f%V;o z(~*!{7j52(Tg9UOG{6E#*r18=nU47|Ox~)?Cwo>q7IGy(&`I1kFkufx>6g+E^k{I8 z5&48zsAVRH3f!ZGw=}F*Wr*n6A%L4F;r-ofu89LqeVxyDD$7R?@6j#XGOqRnkLW6;<#RQ3tVRkwogF9HAl_J8OT zm{Y5XMO$ua{GfgLi_JRvef+rzzlVEo(HD~z5mfe^q7CJ z395RtTxKpPMI2h;0NnixB|@g#;ti36b>y8WuADmF1pD5e4}EkfGDq!?W3?nT{<)(Y z7}(|-yl)oQw5M`YQjoG6rL6A_NM}KtaZfD!ENoJA2!yRh!C+%7?9^ z6@M)l_@zGs&-N``%p6gn?TWR9Wz-&4e{^q^)c)@-#z6<9Yp(rYA{4rAfm5AzyaG*o zsF^+aK>?-RX>I^m)ZOiehEc(3muH5vyxLsZa`St|=p=Qb^}u6UkqH4-cM>19(bq6V z(c2&wT7jG~iL9z--ZF^|B@8XgQz;|)*kzS)xkx)H&tLwUs|;tL}oGI&+ZK5&<__W67pae zj!)kc1hZa=0wl^6NSU0jBlzEc#IZw!gO3Rpwh+egZYv+hFJ*lJ%h=*{UvX>b8l0wdX4Yg_VVH$#UTW63G3JA08?jDNz=od%(CLY7r6 zitmsG=l8J9b6nrY5pD80tHT%GT;|V3xUnh`4Q;I9a%YZ1o?2eL08)3cqM{y3T-rrF z7aLnNdXi?=Ld;H20<5if8f!vjU7fuSseT9(pbl{9*ovN0fT`=UprH_kTlL4}ZpT}z zZgrmP#uB@`Gg-^+%rud2W$uJGHMlQkn`3UP;ZF93_ic*%FTr#!5h zbpk2ABb36#As61Ly&@cEEV;wPK4H1y-bRAr&cZWYcY=K;l0!abcul`-aaY~qN1uh| zCYeAIN{v=l0pFs(g>MSoKYuzz)KGIKlbVyA%5Q5;7_9Y0?SGI5k=FxaZq+bwZ$s8P zSIHY@$}s!i0Dy9K#twD_7iFkDyw3vZ?H)PzbqU$Iq1QPzb{{s}aBn~h>V0Sx#1$w@@A4;ba-iof}De7wq@ zOQTQ%h}84fUaXX>!r$pv)3z?*At4)&!W&`s&03;?UeabpWcy3rMGS{T zp*D#fgf`;PH11w)ssa}X`$jdICyK?;Lhh}4`zXB!li$pIi=;g{#jFshq|2y?JJ0ti z&b9WjekWl}X3T5Tg3=}bK!kZ_`%M1Us`HvBfnfYSZDW0l3uY&V*t>Jt{=I`co+Ouj z`_7*<2(oS)UjQn}J$qa{gIpGAg5Durb}+$f@w><2 zKa0|E&qPCoR88_M8S*UD@124OI0mRsA`z%U<&c-AZolW$K8j*`_=x(hO?(F1LXm!( z_I&e6Xw<3=Xlbd5g1X(Y}v#WaXG&eYl)WqbbVY2R;|nW|aKyPPvo%-WmpXvt`*D!p-Y62L zcN;s-W-GlOwi%h}xs6tD3g4^isPXzsfU|+LbupB?l=WnvENI* z+FOm{mop%PU3_Dr0aQsW8+<}bv4NxK&UL}^z^JUFMOC+6P2;FuVax5hLR(iCmS3;8 zmP&h15yndtC*}$}L<2M`rU+ynbWfN*R7n#uR$`02M{OsfS9ama=%c8kHaL5V&fS#s@CC)>**#b^zJu#rs6Z7RzsC zZeb6)kwpV38`GZY(?MOy@iHBRl!>nq96v`$(quud3WW8>&?kt8$I3pb}lr;@8jT-l=1} zr-6{%+n9E%bshQd2zg05;#{_H1>frqw}bmW3eHhyM8NKOeA2f4QQ}O3Zo0-kL?Y|@ zU4{-VO$XFLcv}vE$%(Y1~T{~04jw7X&U&2?&nB0 z`VzV*u$@lum8^so<+W;ayCX9lVFsvz$r>n1J=Ab{Pjs!UNd4Us5J+vI5bn%ACbOmp-(lNM!A zOoN9l7V_uM+fYB7tG6N4{Ct$QzOb0$3cmHtMe^#SOwEYfo6SB2%{1PwuFiEp7Q@y8 zLtooW{^Acrc*Y{KL*nnF*z)MXQ`Crw;<<5GVmN(nGh7!XcPksywkXY;ejBf&vL*Qa z(=H(+MnPfNy&K{NYZJJnN5Dd$vk$0Ih$9oc&!$%AC#`y~QK0g%1`=Jd3b~lR(8G5* zi|BzrV+m{C%bwRFaXU5%%}+a2T0u-f?>oOKe8zbJ^tF9&JLDF}Wv<fF9gPZreNgoGOXDIQv{ivbvkN2N69@dQ`5O zyPT&Z=1H(T`%(CXo-V42E#q8zF^>0?3_m1SK?D_ffGb7p&~ z+|>DB0KsW|;?%O7ve^*^;wi46bd`yviO9vXCU{Qi zDXuUU>2FbGgSWKg+jeT!)o}mfvsmJmiB%6G7ZHUTjS&psVDG1 zyt$%;GbCX#Gb7;97f8hT>B=p~8ylc3u&9Cjlm)KKf#_h7_D4-W5d$~EqcLHNdGsQt z$OP3H>Z<51z5ZvLjO&m>Qi&lIYJj*k>^uOykMxo@CqZR8yIO`W?Od>PvdUfFMlV~} zYb>V1NXT~}cXEBUPeamv(R*g5x0pQZ=3^p>Oo$_F(JKd66Q5)IG&la;GQQ$fvX+^* zpBc(NM1Z*KW1P}tQ0_=6-zhHR+%#;Yww1R%27nKap?q$3RzuJ%t0?4X67@$yUG!0D zsVm!?fL~^%Ck*{ zl}W*;*HOjck+$&zW=<8DL?40-e9yr%jn-}>Y$vRQP|ekF46fy7;y?bp4jMM)byn_j z*ougSnf6d8SUi4fHfd|~)`8@s^8>vkEK8R797(nBsFKgL^Xmjb0j9wE8JiQ9lP~f^ z)gX~%?rvLVJOA@d5|^z2%BTypd$k`&QoBl%U*z?q&UJ#VTPNlE5LQ|s@o=G`hVD>r zdhJ;pI$uM(v@)xzR@Qb+-cKH%iK(i_m&cYNG&1>F_sRQ!=qfq6ekXeAla*U(iTb*> zOpMb}Jfa;n0KHz&e&Ap-W*onX%o%S$p?nox^wZDbiV;ExJC)j?ts2mQe=Du#AWU8* zoJDF&A0%@Ukj3zwr@N$|HzqWim;Cl>L{M<)e(%}Po7LG#<88spzROMgy>so#@Zq>n zs|Pd5iZ1}J$?}(33fg6v-=GC;&9|`%-8)Ou_Xh7OiKs(Za=ZE~B^~0Ea`zrck9BDO+lMZER?9I+A~w7<@%GdFNHP`OuE#+iMZw>}^t@gt}a`ENA^I{$NNywgNOV zMJ9#dwgWY1&P4xcWqZUz9Xn zL(X3Qn~l03`XlRt*)At|;~^?7F8J-E$h{gsm=w>;oJ$SjnfV1yDO$`#Ou0c#+Vy(h z>CLIAyQzb)s=5Zx7BZ^o9Ss2^NNN?20Vlcu5F2|K5Nww&0qrHjf(?r z@)Py9k9tfPCY_Do=5{+!$AZdheHXnkGV|xK(2usWM?khhRouOWj6!EfkQAwWI3FB3 zip=(6<)>CXSDEPhb4?ojsdz~&%q2a6Us&;kqZovnxH`56xn1{<*3LEEN&MvRWwDYt zgVYS$JD&+-2w)%nfx7NQbfh-CmsZ9&tsr!l3?Cf z^MvKmi3?5JD|>15^7nW1uNy;ppJ#&I%#PM9>z5$5Nk;mdE=ToCVGU#CaZw0`g#&hV z3a&!d+%Pci*wnOL$X;X(A9m{>&Fkt=_Z%zoB)J^(ZgXS_XdFV3`uV6&squz-3N5k6 zUZ>3+Ve!Uv+BDa!sv)S^NiC<`yA;;^NMvrNaCIia8A4r=$tUH<=07@+{ar?8?Np;d z%1vg$qBeXUyyIyQBUgcwU`I&*PHGt|^x{NedaF5B$$~YPhox4~Sj$C<#LC*nN7qh? z)Z0;U5egRl9j4S&yulZMx#hVPj)cvHOgseZz4-Y%0nFUQ0jhHcnML+K32kk7NP^4x zir#0g%)EH6h%W_VRUF~|z+Wmh+1$oSeD4yC-!FF%IKspW18(x?P%4zJc_~}!Z0o|%XzR}4)hLCI77ZR)Ts?YNyR`#~`p0?NBoOps| z%EzE4&9fVU&0I>sL8dX2X<(90syYJSOtuxh@K1Qu`$SR3$+n8xiL&PvF8sN=2_z#m z*Y4RRF_j7@{$HE^V;(NYOxJ=aOa$FAI7WEU62LKc%FsS6m?ZY0O&~@i(!pv~NiAv{ zYnQZEPK8sv4A2#6k})e#a@S$2Q2%pav{eX=@9yc;pw6D=9xt%(k zAy1Zbv1|w!1`)ECD~ddGKKJ0S_2buF2v$e{#No-saXA^OObv>%fiYiS*(b%`)Lm=T z#ppfdQRf5q$$=y!K1hV55oJEL88$YyiWOrXM&a`VD2qjTgzoOk-C@hS)bLJOa&t%r zMp@FbMq1P+P6jAdDSjAs7Bj=<9IN8?xr+mCrheXnBUnGD-A!Cz{17~N9V}Rl+lbRj zm`SX@XRK|1!^Sk@G%Mw2(9fVxo)gjkVw z(!bowMEH-LS>$CBuZWaMl513n`$8EE1PYJ(p#DRWOCtACiVHOHHu9=B+a6Wt&I&@3 z%RkDQQeGxp2q#F)6ydKmEiz`}G}o!#5@KovW)b^ZgiqK$1`lvGE0xDhVBz^LynSbu zwyLGAO8hqN=k#MUG!M6Xo^K$~$P@vRQ1=_U+tUtM8V-`@Nt7quR~9$6euX}~KU z{-_pQ?yP0Qd}w2nG?Ho>Ijm0W4$Fq}n&azwmHpo0517dwF2`<~!1vKSzx&($Z$rEt z;xm`lYm#YA46PVezdHJ@W?W^mz9l%UV<>K>kEgJ>SfQpFwTB#UT87sXZ8=JV58Cb! zZ4V%Ksd{(;thsK_IFK2Q8&#yu`nY#~D0aGzQ`;k^I#x+xBXbMgzld^qRoEmq=Foko z8dS#glVa4{B3TqWL$*L^=i6Sw!XpQ=+>?SQ=aKHlok~N{X+Y>%S4~0S_-NsNQBF|OIyp8pcjl*jtxop%z8k-tsVSOoGcB?BsCXG{yOcvfz@a1SGCNuYd?yqD z4Cot+6x%v`r$2YKkG^yd-EBo(kk#-c#jo_^az|$%OTSv~9sLI$A`bqK?k8*E>}oYF z>i1fgg}E&_VG_d^EOqpl1~?sXLRd9hX)OhEzlo+NByqp~;qEs;3r0Bd^3ibi64-US zfa5~OLiT=IK^3ICd%89GpPHslC?%&^owm%89zM`AY$?0|TEy6L11F|KQ=($@a&ck0 zP|f^QoXzs}dUAUTB$(}3nh=z+{HyxH+Kt26=TlUVF6XAX3DH;6`D36%Jq)b?NrRCi;|g#+iny&*1S(o!?C-Tk+QmQQ;d%e(Ta!`&l-(ib3!F<7-0J{=r5aU38r`Lc;RvEKc`U0@l zLhV1&+Lkq@QuTUWBumu0!JgtWYOxRBrC3QI^;=8lDI>L4pTRX|ioe%lj)x~9^VLcT z&NqI29=0W=f-$*bk&II-6>ZE`3GD$v9%KWxSo>S{Bek+e35@xi_yLGK>3DX|ga9U4 z=Pnw|Z$%762G;bsNKT0dp1vd6%|rE7Ps~4Vk1asD$rWYc;l(~es?IZ!vv#0HrA+a( z9u6kt0W|ed1jt>-Pr5f9ZP;@8({3U92$;>`apMAd0)cVcniIw`B=hvIDyQgL z#JHBQoNNN(D(dO%69)CR?sthsw6nf4cI9d6GzsDJOmM;y=E&vv&+(C+GKwC8=(Fgq zP15?$vAhC0p#khBw?_!TZ)0%w80OVT4d*+y_YP7-QUZ1s(R+0`!SCzTCy~H2h~JeG zo=-@9@GL_B#XQMI_M++Bam`gnOFKexBM~2>CUYNH8p1V)v8-cb-W(D-cti_M*C@ZD zow)3+lQ*3zMQt~A9KnT2%rlQ~G=IA- zK{Mb^azw6-5$G^K_L(!h7IetGU4tL3Eq2|N!$Qb#XN3191n_lX@u$(ZrFUO~1H*XG z3#8v6TC1?6mUODH)Nmkw#kLJ4`{jfQp}j6OUYXs_)IPF_>t&6IHVzJ4c9Xn-+3WinM_YObxr0!X_`jhmB*nb8$99ks^IjSC}N6UKhD z3Go(~$Ozr0W@Atj=_17YVrAv|!_k%tYXF&$y%FJ~NKi<82%x~JMQDk;va*in(3R`6 z+!5V$s8L0(0O-36=7J9H*B!j`1gvzm&4|uY6*1f?*{Q4xp%#%Dq4vQCLzQ}7Ww%}7 zJ(J1HyPLaN{3=_3$nB?NxI72`K1+xs;2j7wQois3i^RLhtJL3An0*Sjzvh4tHrTp! z6J=@6SdMMJR|-+rUfnzcWpeLYwR=L|%ob?^>sP5|%T-A#Vl$gB?N5t>d+{!fFem zzFb-eplH!FZAy|;bBV|hAhkoY{M88n)h9oM@RvfAR8*PlVhCV>pYBX(>URdp+QO`e zr_!|`n0sDOcAIs_a6BeFD_)00HanglWDrFInq-nfa%>+U8-qJ9##M$#H8HRAn*bT& zcljcPS|6mP3QR|!eUyn7G9M$NAuOPAV6*eISIYXzR2q;Zjca8A2*+Q;4(`Qj5j%7j ziqN*&tK(QHU5-~Db7-M8kA)_WeT}%G1H?!IM=rX?+*s^ggGwA?8HV+*Pn>(R8gIny z&1~r-{WfIcAXroUq#Gp@VtC=HU#2A3s~{YmfbYZd4S?UcQ0;=99+=GHepN%h=e__m zKT_sC*OSgbL6qX5n2ZY|_3$pDMlUHw`6}h;$9|wHYXRa--dXB?w)__30M{aAhf%O~ zcA}~xhWQk|bT|aMc54o3*Q`U&CJlX^@=0_-+rIh1aO%isCUw;{y6NJeiKsYM8ICrP zDOj5*TlS58ptN#FP$ojQm7qFDeBHN1WoasU5oa>o`*0=lE9iiNk9Vos9j*&FPt#id zy6u?SretZIF*+qqnn8(%$81aq%F{rVZ#KK5`?8Q=P+L&MQK8vXQ<|Fk) z3HKK0{moZj4f!b}ZV!}O3MPc#atx`4g6_KRT>B~R*Z0!vqw^5hpO<|fKGDfeDYPw& zrdt{=Qw*JJ*!*I9%^tc@rXq%?uTU8c{C-%P#06$o?#^LyUPj;(xuUG8QYxZ$f)1)>IvAxmIjOFy-w;$V7^kjn8zpu{Xzke4}N=Wr7 z6cf=vny?TGCidTrpV;MbwM~+w>0#e%;v)8a2z68vP*0hK(lz*bNTXZ9olT$aeM3>8 zqeYq&vj^bEmo4*^dPoh%{<5e~W{Mc;mw$%B0}>4K)5Ot{>Vy~;OKBt0yADiDG|6uiO@w_zdwryz5M`&d ziKsv#<2}?TPHbhfwjbFCZlH#Px3Wdi`Qa4E{f%{kP?>=I=Uzxzl2lS;GeiC&^G5&~ zJR{y$en6<>05`Pu4?156mxfhV)Ux3(e_<X&d;>uR2)QNFmE)D1q49%ihNlP5% zR4>RtGOMX;a7)`*WzeQwA&P>-70DJx=V3zSV+Ga+P9p8bob*S19l4^8QU6DN_|N<; z3S(YA-twZ}usTO@SrW$^#|fQU$BKP3x!NR}@H1#y$DWz@BC&Tal6DK!7v9oGor|gm z^V_*bgSuo*PtQ``iZDQX?vpQ-=||}iENh6+x#ySMgwHcZA)1SVcGq(X=p&Ol&6P!m zXr3qN;d>#j7TK)zGE+u153#wv}(cR3#Q9Y{>@plTRZWYw2)YPU?(u&}MrG|!IZ z)l@Re4elF-@(@Og_a6f~t_oiO>(n#RqZY)gJhsd34%|88eF>2a5^eF6q{kF-Jhc@u zle>D724IVQ^~G+UgfS2el^hiJ3d0|-CEnp|G2a2Uw2wb;=*YEgED^@ zyEBA_exldvdCHVf;vP_DzS!r!Nq{+6Zi~%4htzzO0{bJ~JD=|bV5|XM%p5UqJ)Saa zs_UZ{Kqc8xZ=yMRww41Beu<%eb?@L8iNm=Ct2I=!E6&Oc<<&-8yHKVlpgA;SB%I!q zRfV`7Jb|@+r9V{&gh$vLlTyo)k9QlxEuD@SkL4b?a<1qRfk3;_tMs2FI9~v$@wUn4 zOp!AEM0k@bG6I_0o8#O_rN)foM9-@U!4X2?Y(?1?F0ZOPb`fhu6bRJnXR;d7%oq8N z8O9ppTxju*}%Gm{gF&CnoEeC8-*L20*60oI2ChPX47jt7HScZ5P#_*J@1C4@wyFaop zf5t5T-Qu_ZiNE_Zp5p%%zJnO3{K1B;ogI-vrN3nRbSJiMYUwF4m6hkN6gYakq^PkA ztmxSD@3EW^Bho(&+moUVU1CRnGdyhS-P7IV80DPSn8s*tgZ zavVmIb@qAhv4=$GA^!pw5c~1S_Bef5rM9gR%r1uf?~DKLg#QU7aBH#wU4TAszT!hG zX#QUNl+d=&sJ3#Gu;ZOZ8)JHC(>}^M$|QpBzS$VR_6ZU=-Uqr)JzI7!tmfmV`Q(4= zsNtNX36;^H|ja}i2xA`)dN7`ac#PawR8 z5qz ze%L%K(Mc6hV5geiwPKS0X`^pEZgN5f4LA7Z~A*t1)A_pu zjewboK9o;b@dLk%_)BymUhhM$L3l$8)IA2*cJ3d#`9W=*CO-O&d_)Jc+lP84dKTtra#=I_I9ND*Fq}bect32 z5et{Dq@`4>j_nK*g}Wv!=A1T#qZ-)93>06oXJmyi{B_6ke_WUUxc;B6&B6?`ZD)HJ zPmcQA3jg$33>!*@{kJQs|0foefBhefIik>AYX{I*^Zb@7ossc@zVK;I`UNl^29Sl) zd2jyMbl4ffSVEi{Fw?cPw5FpV;C;Ipry9bZ#Xz{pEbV2iVWevt(ac$BCAuJx7d-v~u-xM%_hKKmi}nvK6mCQjC_dD%FLW() zdn-B39f5ZMUc#@)!i=A_z{zCs4;M4+KM0vh=+(9s7zs~g)CDHQD|kiY>3t`JPwnF$ zMKrKVo&`OcY+@iD2&iYSKY%#2sPwBhu1qd;`GEGFp|7u$6eqkioHvdr)Te7uJ{73jTg4{#Le^;hq9P8GUukE#V;yfx#;Tm{xAHCDlSwQrru5PlN2dnnqm8Xe-rF{7WC_V}ti z_w(=^pe4e)ngsTJAB8iULtl!0)QOgZn^pJXb9VW`VtgEay1hvFy?1Gd9YOB?Ab>Ap&^q+?XgY&7O&n&Esk)tt@>)pMF-!by`~S{=}GY0X5F_=!Wa)C2cr=J(*lud(Nv+| zsd{z71;X!ZP82&&;;`c%b-dL;FLcxIalvsb{xEsjWOYD+DQ8R&;Z*sQ3`QeTVwv8g zc(P1wX4(*aeVZ-SHpzACECaf9o-%psKsDd~v>7Q&CIBZ3dU64m`a%m!%8D-=AW$D% zRDu{iuOsRiEc5c;WjEyN8CU$v1Gv0gD7iivwEao@(U`5 znQup*FjM5zBgO_381+_rP)`W;2fFK#DVWrmcwb!PuCaA2!Fyf5(Ui(5t@%hq9?6`bfNnYdluFBq#0%GZF=QlcAsW!y27R^1DMBl- z5!?mt5PAXhfU$72en=Bz&VmdJ?C={70W<{v>hqCn7=|1jvbHG zufVWtJsYW}Terqm*8;Iw#!SWB`LQy0anqQDX7f`M=1pw_;0}WFgq;__FA@%~cMTNS zQa@fN7U){^PH4L0cl@m8>u%_On#Itctj)U($k#r=oY&h+8mV#AeTo+xI2_bzPHczy zJ}?SR^CVshd&=Dg8I|rO32C^z&674{{&J*xIBy_(*I)oRnr&!mL%Lm4Zh;7dm5xkT zSnfH@u@u3fz9R{X#0hA>rx0^gpmA!0^5sLyuGQe#wH?dbAT77d+pl%nt!1o->)*b) zB9k>xM*xeB&D!A3O8c8_t+Mw7&{M7#)A9>f_RdDXRDTvSelPAqSrC+~k1aaqILhHAOHt#%uHObR=;1?BuWn*%on?1WR_=C(>{t z8JG&>ed!jt1&_A_VUJ3?_uvj;#YKB(EA;koneGBoU~z2%H6L~5b)jY8_g7bS0Y(V< zd};T5cxJIqW^geYd$nd6@deO@LgN3`T~&n`E8zRzFMxZjV&{(((31Wu=qnH}sl~9N zUIEe{Q5h$1H@lv~`ic}2%bJC!E7sAzqM+v-9(isyou3Wm1i|5AH$H!)B&swA7Q{yf zaCK8IomH2wCazTmVK4k&?7d}FUD>uZy0PGp5Fj`tXmAbg!9s9%g2TpLf+j$MOK^90 z*|-IFcXubalebcJzjmt5yEj$moO|xOuYL7nwYK(NI_H`)W*>d@Au;$y;+n|9rbseZ zGQTk!LS9u~=XXVT1h^_HA#Ioee_<8tRw7NqxT*Dj&E#W#I7w}Zm38|rJX z>`w=B8&seu1f3|fBGFo&&aZ`llLJ+g&gRJCA07xfv{{{Ejx`&+OTF?W5auycdK-lT zqCQDL`s$l=mK94+Yy#wGG;YRE-3TpjW*Ycya<#Pr#oTJzL+da5LKmLF`n42?|!x{5iUwMg&58(UWxrR95c{P!vRhYyqq#d&TQ zsFrfMOT>>w4UrAhs>N`0VW{;97)ZvMbQbzj7rT>5R8ya}$yTkGGcF$r)3@~1gU;4+ zT+eo?Zu%|0T|88y=K~~?XP#Y~hF7-Ri&w6_%UNw!Z&z3PniVEOb@X=v#?u2f6XYXJ zc0X$BMLGds0T%hMYBfI;Ykt3BmGE!)-`jr&&8Wx8{FV&)OK>2}XcG84h$sv&s@NVB z$A0$TmGc|5O;pKmDA1;Y*!|I{t@`W($h`ht2o)p7#jDus~1;^sj-0h4+q| zU^*DtI*5Cuh~;6hm$d*H0TFeOHc5CDE^Tn7!Pm!jbr$7)Czky-2iJbigRaAm&asAO zuA+)9_BX+9?=|NOLBe(oT~U;q*P=N3aGvTRdmZ6(6{33Htsu^1@WwsGR0OOn}J!Mk14j2;RJCxn=yCsd)rKkj0C)`r{5*BXYXHfD-oi z-|oNq{YT$4dipykUHGee$HUVdaaYC3l;bV1941ddXc=xU=;^pq4ufCOnt)zIL&&o9X;F&<^CN2*G({gYcv$5LOih%$O14@z z&q}jr5nafn*KZZTb%}l)np=DyktY7Zc>13&Fr(OV?py#awdT~dB4w78DKKnXd;S=; zq1Z50_>0ZBD%Ce*vUY4|gr;nUNP8S$`hpV}K`PSqp>_g;J^`C&-$5AKk~#CZXL-d| z2lR`h&V_Hn)C4Tn`VHH{1Y0?`2*$CSm?CAT&gL}e=yx^n=U&yY=&?}==bs>d@a=)s zOQ zURqsyVs1-sIoOJ6KyiXT(44jhAv%Mq5U~X;=EP|+Q{Ik_kPP!YGpiSB83LBiar!85 zZc0!qPdEx(V*>W=Ym3w4k#oTI5XUDZ7Hy_TR0JosocAmuUJL1^8OO|ho`eym>VcZ( zDm4OSz?fHnf!Xb}miW|n-exxD?XgsLfg9$N*@gC)Ck@dR{Q;ykN+cMudTt+1p~7sb zO7Xv_@a8%Ikn)&3xd1MzGsTTSq4#;n zem;&`HyIkflO78M_ecOAQ-#55&6$26?1Sh8@j>?i_@s?zA;sB_5(f}_0A1vy;Hy?8 zHFi`*-A^T0PBCCI6<_JgE5)6(SPSC7Mt<-zfyqkG@Nqu0SWU)Wz|1AYae_6#i|{MN z_x-zB{J)wB{>T284Si7e{1tf7$$tXa@-n{~psDZxp!AE)$yj*6qEa2*_S%j!S1oYU&~?W#+3n^YvaSd$wKBtzvMVYEirLftxwymq#Hi z)Q8q?-ih&F<7sxR?C%BbIicqeNx?GAbW4nyTz7NMtps7#W>trgxo>BE>r7XgmUtA% zN5c6>S`ZjT?V@IFDxVCQIgYCg@AA!ny*$RyP?BZ2yOth~rsj%X$2Y~1`LT{$;I>6m zQ_2evO0x{B@USk(Y8Ew5Bl@y=R=Z~mNM$oiEE{v;?t~6zm5m&cd=OTFAWcr$^|1Fh zQL6&O&Dtn>m;7f!Hiy$or_vbB?X=*``4~v#zYOGody%6GE)hV?5!t@r= zOzP`#Ig#gorp^43<&a(Z9TdvJzZd@1$A;Kw%xQ?Q@W{XERO{D;o7>Kz+`LFN!s_yF z*psveUu`97NjTYB(Y-Fy>x-HvI}eFB zzM=*p>~&uhnYtV&+TV}%E_b$*=pw*+2PJ-E88VBeGiuXQGNNu(i!%rg%hj~( z))OB`hC7$N0WIu4RV(GFVuVtF~l$l^hV-ny%ox6)K!3weyQ{wWi?Npmp77m24nWCOPwUyMXK9bEm9n}x7RH-z!i;n5fLOQCgZ z_hYH*W4OfX=&`rz6iF}#NP~}`dZ~K*!d`NuWuHA%5#GewI=^t6lb}22)jz;DCu*C> zsD2U~UcHg9$vwBBa~Q&9Coi$Q*H>$4+%$<{x`pjk>6n1^8Y7Mae`s-#>v(Fmj=NE4 zvCC=}C7|d|h|*B!@)In>S^xtZJ{ZGiWtwF@Kht~*Ca=xMn%7m%sitV`=An|saQHB? z{i&HF`*BN*1fEtaU2`lMVj|Y_7}HkLnu~l7f^X*91a+wB7k0vUn4cr1RSy|u#J;fq zFaU!ti^R|8lus8vKTZo0-7OrTKc8nzHRd_X=KoZfk<926ON1RWpt=xnV3En}+ug-U ziPM3!6KbzG&O>u?Rdw|+S8=N<%CceHJDuk4VZJt-+p}!N-Y%>Jp2jKKUC47|91Ei7 zX=ZntKLeq-O^NUofnlxoKpaFKy(w zZFJuu2k?WEJpnh>jO;6wTOJdgohIW8`L`*%Wt-O@h??p7@%pU%!x0JtWZv;y9P`jx zRc_P-k7Uv_W_c^aeHwH*q$%PG&V{fOSsi|Cl0L{eI-ChfSzP0#=41=R$z-Yw86=D} zdwu9c1seo%g{E54*}EA>mVHeE2_eCRl}&wdK!9S+jcyiE@l3OVe7+myxxUE^3=7}g zG8}U9Lb*p2t?R(YTs2A#MAF307B7F)R>Dv-tNtgh0h#etUt$oU-$*t=r_fbLs958d z1+66-v&s~xX=t)y^tOpm<3C|inzydiWn?)tRi)QT&y^^gZX2U5m%#OvtiIB+OYfhH z;UHUsN!wFAd@lmmFvaBZ6dMxHkr+FT9-G_EZEaJZ<1r3Q-p1cS7Sk@!RK)~m>ZE~cI1z}rEAGu`XHa<}N-^?Pev|lq;qjbh8!je; zI;5mff|Mby3TPz;5J_{xccfSZozrlBLeZU2d>=Qx=tmUs)yGERl8Tw|UynVSo=+ut zIyN34SE$D7&EAVsd>Tt&uI-{H);D~=Z{)=wr&Pp-3_f@eW_lUix@JH^_iN{BlO>YiPR#ODK^Q6MR`%XpFMG*2r#2TTPrraFYIPaJ(%oLkwi9;(vR zB8NO*70@LmP7W6`iqWtRSNaB41fg)P;q%@MGtsjeCh9=F8mg?cjFmYzWD2&$$CmLuSTgoC)W06`9Ex>bPX%nLqqFb&?n#OZPv$JETonU>2 z^LSTz;_jw&M5+Nu9{Z(y2YE37vDUdKY|S?afVq4H{T+1Y>P0eX|FqyO!4O_3O<#N1 zb%M*_#<~S>#Q@$y(Oe(ufDiW|sk1mzVZ8>S6W3Z8C+-biN;jaPu>Cv-z*2$b{P8YN zu+@VPp63Io8L+{#M!)Xaejy@?r&=|ve;v<+Os_YOHS&t!gc*S{1ig{rj`R{i@~cN6 zS$KCOi(n0V>|AW_Jk!C{aY6D=3;*iykgQP73OTJ_LZr>bM08cG9d)9g-uW3QMq(*lET@Y-dSsvGxz-YM zsd;#KV)zj6E{ztpxRuB_M3OAoAc9e~+DA)K*VZPuxk&Q&U*_)~APYzJ{?)~Cn_eTd z$!k81N;S>S!iL~^ADrWGK+pp9(fP98!78V%S3jQl?}hG$c(?M zWugq48E1EMtB<>rgS9A$RhSXRpAj3-gYVSzq z_su5s_l+tK#V9lbmHZ9EOq|e1<&bHy=P$*gMRn1#6GNt952(W3649eFF; z5siwgv$`!2$2E@>LqwpK&GK2-g=dEh*~V%!n}CX>Sd5=)>qYT`>FAqk z3oBOZ0W(|w-d^22`By$1t!v3In||7Eh=f@@SFk917F_VJ-K4db$gskiyPe+G4x(#E z@jMVkSae&anRpDJ7TV4o5%byNSbo(_{Lsm}yA%%0-NV8%-$5-vT9mbM7rdo=SXQ7f zLU}&$3iwH6RG381+V&wbrkBLgk~eL43ZNjRyg!yL{_vtk;l1`kW`L>ET3>ytEZY7z zv|$~a5Yc~uq^$#!lj>n{;&aR8uq{I0l)jisi^-QCtyEl8Ow|vTB)D3DFN(Wra*T2RzZ%T zc$=|eR0~=&5U1nTTpZ1%Zq7bU;<3-3S?_C6w@ zwYcN)lA!ZyYiDGeUJjFY#kku~mKEgtDa*E3*m>0}R@;qX5r?oANy?3;CWr>{ zWm&vr@>%gv5e>fPvBr10dsLqKtuyc4Dt>hZ#D5=qvVvEnB zpAfeakEpRLy}>oO*Nx@bvpXxvN$9RC=OAx#4hz3SXlBda?yF3S5yKjslcnd6KH48o@m9{{5aHs@+G z3KI&bK}59AfN>cN7?;orcP8IKAN^kgc3~%A7ka;ZV9OE#0lttn;dIYo{U1})m+v4v z{*~t={M$@F481p=!KQKoxXs_fwo}e{GFj!;`TB(C_ijTjFdHXMcGGxy~SU3 z@t?E{c;2EtSE<1dxvh_K3~5JayTiK(cKi1gy+H6}ky@z#rdjsK%>C1umR5>Kd8f%# zo^6nw8^m%o_M)*W=|b2JB{=9n0*XJ&(7EF4$W^3ZboYv}&Z5B9m8Shr**b9%fYqbk z5%NVCPB?Jj(Ny=#w%^OSm0j}p?a8DPZk(SNCm542toNZj395hy%I?HBhLph!=rct< zsjk*HAUWS|!7EwS0D~LROo|VR4_}Z=&x!P>`Y`tLhO%{PQGPl)dnvD4Vo96c7?fI9 z-G1`*Lk*9apf1{ykm>V^VS0vxB6_;iWUYw#T5%QFLtSPuLJq>+hS`ZinjI#%KHKd18s7 z1=?HEBk>lN%~jAmr&bdrJRRiCo4dL7b#E@-%J~q6hA^ZrsSPeNiDAcZj@Yrkjj2_m z!yA}<)k8w17rPf^7f`Z_ul8d6$grur4jkuzY-iz68QadO6UhrT=$suj3*;DzEy)^^ zPp?Tr8U*X$X>+O0OQ3X$MI3HE3SQ&Hk-h$!ci`ROIKlgrra_ZctO8`YtwkC!7^8;AAZmgQxS91QyUs9#}49GFLv=wo*hZDdSkjvta?X|C>4w&HH#84^oUw+~s4hETw0PML) zA-`Vk8HXZHI&!_T!6|W4N5T)ruoF=e_FH3~l@SjUg|A|6W#iszh$%F4bgc^$Rm7S?!~kjdJkFSFf%`Zqf;Hlh`uUreo;p*@$RYq+WB!y* zNJ|jF;GQf<6=+pWrew_yA9cQ0;|vusfJttw>7ZzV+|+V$YAgC3Lh zJ?kM^BP@t%oYD_$Rey~g!z|)}_K7?|X*{!9he>oa{}V#gL`;+=yzBYROS)$ZS2}mS zO%NbURrnUAqWv-Eu|#1UWu12~4|`}5|0QmJ^mmY*2}#(!tw2#T^itMD@H{e$W>rH# zi9KY<39~(yETfrp!4*bJ3-eG47%l!^i97y`aKOLyoZmVX3(kf3uK_Ddi}*W8h!u20 zmG1ovAl*HZpJW(}%h1-LhBtX(ti+256Eyi&9vZ@bgLU$ z$LFHkPcHyc?xH<9X1?6`8Ob*hgRd(E_R+7BFD`aD!q-A*{FRlI@x{AkyFxfALRO{+ z13LrBD^CJV$m|0+IT}07V-6LZ zF*w@ba2;Y7E;W}Lb@PSpPL6J+DrB@1Hz!^~pWD(u8pWB+ANdp-UDE?Iris+Bp=K;# z4&G!FVOSeJ94U>TOBZX|HGU#cLaDZ@CjM}96>PDhE#Lg=8&tOv35zMO-aL@7l|6yO!VioFZ}pjf*?x%#=tAT_!@z*s(e|E_OXa(I8UAtkE}qT2;^_ zqK8_@8!NMO75?oq)YxpHLS(%K5_Jy+02=?h9gKNR6HY}kV8XkLGGQys4?U_qdIuz& zi$(XXV}w#>ljg)HEIOW3NzD)bY%u8iea$y$yTq3r00xVfam#%4@S)EC{@Cg}sI!2( zgKJ|mlp}A7Mp2V@EjXx^#mENB(J&vR>yO{68^~pTlXT}&4=jio8^&1; zOj&&2&!_Ogi=7Dlkyn}L@9voU&|eQM9S+j~FByO>ALkeH$XL;xO7C%5i?p>VpedOz`z&_rHOegtrXH=V%bo8w!=marSgIdNt~a3@w$tU>s0Lg-o3T< z51!H9aO~bLQ%A_Wp}2GT%oJrLH~g;Li;>R=dgb)P5MdoYmr5YU=4AiwD-~>(Aw4S= z`hlSQXO5%AON+2DgIpu`9-ixfR#$WX=-th;Qa2QMA~ znrm2P6@W9OY&z)7#CV<&j`JS{dOom;T^KIi!#kkgt}cBC1uMZHyXR~5JSl5B(QDE` zq<74TE-wRl60IWYGDGbRytrx`I9i2B(ro&HD+~#zMNYKkl3EDoN|C}7^+Q;MCYPqp z>+k_rYCRtDfBg{UC`_+`Kd9Eq+*FjMpEc7r0ieI`@tbb@KU5zTcS@_>cQja)6{qvLGQCmS*moV+YivNL z&J1s@3drN&2qLhV4wx@odi)*KT>&VpP9-kgKowE{`>5f+^$#}xcA+QmgZcKv7FYzl z6H#dflmf>N8H`j+mV>%mL1bPmon}eN5Uhc|xgoHPA#=wTT} z?UV(^Aa?=hyN2LHQV0dEH>e(Nmt~BzL*iY5h_j)}402I_^mY+Rzb|)4Qf&wE)cK`9 zFoJdZVo7UhNO{8yKXV@1!Z=8s1+C@SRN)4 z$)}+o(g@hxIM}MHDUZ@Sy_nzs`s<6h#h2F=Ctg@M$6OSd`J*z%y@5HL=>Tb@=LTyJ zN*rYP7$j=4yl9Z8p`xx2aXC91;Nw-0i5WUMI?&l)j;rp^>4PagbiOlzUci!Kvv~D7 zZcMhyz{^Nk?aQa{pvA4w&KyXs&mmm$tjVTt(|&lVA-@n6wE7=pNBQppYE@4)kx@NX zUD9ezva5Wbq(LI&YSrZhr_uOM&d*Z~ZmNoN9PsE9ay4d&UMIVkBoh!@?1eluf@As7 z=+Y$lEBf?l!{+XjWex~=EtNVi-sc}``O_~jGkJ&5WIxOU=4vvR{{wO{|5X4#gpPkJ z1em6L_Cgl$hfr~dvM+*zM`)I630`) z?km-QTV2%t$~_-K(oI+nyr0yjH~*o&rl1Bba# z^Kq^wuez*-!aWWzLDY7Q*Dgcx-ge{qI77`*_{ zD(`+)7Gy~m&zA2XGWL8xIoop}UQyZVVk777c%1*6mJN_`Snl^1dyS@7c>b=Hg#PXu z|Keu)S;0Vm-5}s!uLH-bObu||+Z*@c`}qt%Lb-az%SUmkCXS0lqc6q|To6xrKI(RN z6%d~eBkBC^`~1ESzTAcSy~{wAt0@QTFwou9%F1I*#)?cXuQX23NFJUXM39^f$@{ke z9X|k+KLK{IRPCviyywqVpUb|^g4m06lHdv^5(S3 z+jfo^{T1TZ%zC{VY)L_)s`iv&HV5&0CfR@tw#*3@kZ?_F@Wmp{0lU%|&j4pu4Zme% zcgX8*RO&E6GPI9QgkV|IXP=iff?4_$oX8u}^ptVrJ3h(E5Ev8t+M}XKF~1#2i-J_}GpkxO~Bsz{I=l+_EG&)8C5Emt3j zX*(AsVd~JwXUO5C*g4GATS_m?d1y`Vh0q8E(9-|}WAS%CfhYfINHXBj4<6G0UpB1Y z01|8-zl}QZA_i*b#l|n8Qa#5)6;~=sO0bb&N|^gGwW+C>HU-QRxq`(hN44aV%X z3I@-jrdt+MPbtiV7(r6AHzqHCNo=vBy$T|BZL#*;Tv2`RSaAy0puQ?}??K|xqUf`r z_lc)x#XAzz$S4H1FROHGD*xp2{Rf}?U*HH2sOXHHnHH@yxP`u2W(we-Gfax5XD1LX z6u>2P2TRxTKQ)byPFs~CtlX;)d=@ghjbD?dhK2L#!f!rPcWwH(<9S9#X>-;1envxi zoDn3c@<44cp`W;vDQUJuL?42I@2_lg)4xN%vvs zy&Ivnb|f=RfK%f}Q={Z`Z_Qa?FAMi1!&K7D!Y{#yZUz$j5xEpn%oH@CB`K^?Z&Gxi+=;M8 z+iF;@CKP%1h8Y^7?XstVDf`IY6+6EARdj_~t8Mfr3{svq8`ez8V(hmPs(+-` z@Z016bYKnR08UIVGi4maW8f>dyUmVFq32^Y2|KL%)=k;Ah!nRkhv_2 zIwxs7TLh&_u%FVG^(VWi#@f!FQq9eheYu9wiqx%A?a691y^%x*A4BD7Si4-X^ETQc z0eiNA7{%W~6@j`L{QJfww`yHxk+0(~Bm-HKtUw{%nVkmKC}}aZyEe(D#d|jo%}hGA z!y}q~jlFYAF5$cAu13^0TQ1-yVecZ}fmW=ob8I&AThVgZ8VYE3iR-Itm>!RIO2S`r zuP55WMuw^j|4`(XV@Cz&#PLn7W1vpWeE7__(lviwR*&0Z80(-$TTCR{{8Y@K2&7^y zdGy`@4cTHQ%@uCPshD-z59fn8_hB!3E;zP#9C9(ihP5iPcKjlFL z4h{}pR61K`jRg(zUBQcWI?pHS-o%TZ%XW}H=@*a=oP~i zA&b-qVatw#GOk+meAVn!#jXqo#8EWer+#majx!U0% z8X$?S${fjp=tNZCWXKcrG!%#xK}(BMl4Js*WyY(oGo;of(@8_eOo2ifCE_A+Y);^K z*l}B>YqsLc*k>OWZbJ_U=az3N-Y+rqu6f2Kvs_j*C @)sBs5W;!|zmR5%5`Z-&^ zO=D>Q2ZvXqv!(F)xU^0$cL!B_EAbUan_YnwwuQQPjP z@s5*iP5xRUdSJgp?!b3o+7AaVRnK+s5x4qb#zFJ<)PeLF7gOQ`fI|NJ9bpWeo)gFF ze&YJXgPl`j&a7c$1rb}pbL7q{0XDMGzA6a`HBxQ}d)yFwHnXSt#6;8@81p;m?W;HK zZ!LoSWa>}Wa|T6S*XCGfF^oE}`r}G`r@{){J5KplLm@p(1n(D^5^a(z=fK=R@XXiC zm_^ev7oGn2w*dE=Vt9sMCniUmYxJQRIkYGwJ<`?>IlLywJ6X!s(RxV&wFaCd2pM{u zgktwv!EfP|g}}!qDaQ&1i!Q6Mr(j0P9Y3V?U{&+H0gTZa{|-L~x$TlJBA)l}8fN8l1;iFvx} zRD`hK`Pm~Ol}nkVxoa3Qhl`7B(Yinl-%q=`u`ACg6iE22;_Iu8s~2YGPS!9FihS)# z)5|M6qZe0qXO-#<*iqLj6B1#kbB>5+C<$(El#Bk9L*bvE=>BlR`dIA@3bhM(M29)w zb3Xwf)y+5KMly#b_vb*i_aDr|{*(os+r96gB2j~f-S40!oqIEYZuo!c$>J;_0`SxS z0)6qViyRtmsp+}&(LF%Ma`cY8PiHvt@C&UJxj!17zE}MlFO;YK#f4vd0N#N~LTH(3<`+Y-;9C&yR zzAwAbf8y2t!3X5C%08oeYBE;1A0GDwOAYCL3sEY8(SH=?M^XQY`!W1ly6_E1I4&_t z5Mys&m{?lAqC9f6#boa&1NAIbS}5lXrkkjTmtylT#mr|_K#pnpr3%D;scW-fOt`+K zUykL0nJagGh(vh%{yXf=KkS~ei~y+p&$yg_rf(1W4e>!X`8Ofeval2X(J+gZxSP*2 z?q{Lmo)tb-9Gm&1)E^i*M(&IyQq-{?<4Z&#Xph!|-b3*iI*0h)BML&xB!erFA@TTJ zMOJL@EtuQrqtN8HSpU~luR_~m1EM23=%c6to*-qPQRR?4NnF0f5|dFqV2!E;tJ2N& z$Wr*Dk{S~V%1woALX@dSnebi|>grPA;M^!8=BSC)8z$8q;%k_{Vdh20go=$}KM~_G zJHZan#Rrv+sH1z>SxjJV!?N5SgFVCj5#P^ovgKCqnr_phqCgRx5;0?azZmrQcZK4BCzD z39wLT6jVv(d5l#lFAHSotw7P75&?Sop{$+T!ekHD0f*$u)U_KDyl~(?%M#e|&a%A7 z$XXa^_bykTA?c6_4eQ{AME*V;CHY5>MrJ=!$XD0Zy)z_>fonez5Asz+0Zn&4a#PZQ z^gW71^ig{qu7QXv_taP+Xe-%fwhjuG`Y}QnELkoRpS)}M&iEK!??{_pm9GzKL2PTw z874}Rkxl**)orHex@V;z{26p5HIBt7eAIZvX!R!Lju&5|;`l$FWPPl#cPx_?fIj}| z*sh<(g#9Tuk-=5YgNT&ML!$xUrg zc-!q&F7E%K5-Q3fC&=0*l_#WHEyIU0+7yFh*f41tlrbJTnljmNailcCV9&ir)8n6H zVays6D}oP!V+u*M?#j6YD_<&3EUDH&N-++qRNtguKPN+BmW%P-AC%&;F(2PO7oSpm22J36dUvAyO@}$xY z;3M_}TbZVAQ7?*iTTBAW<=jCT^&e}3hdLmC(}1(ttx{ve%i?&Is^n?OIvFy!_aTo( z+Yeg#-IC#13vw5G_{tnE%CTD)NXr!8N__eX4P@Dg>_pfRR-Olvx{+hG(-##7vma2n zytbpOmB>;>n{-i9B@yzFFS^sb9o@swZcw?9-?jTv-BdC2QvB~+@I)E{j)wTxgMlmL9(qJEOJbg5BuRakS(zp(sQf9oOCae zTQZNL>yZobdyP{-xEz76hq%DQ-aUd}`EJ*h3L3p!Y8GN!+64S2zSPCFd1{a1fTO|nmsLMWIozEW1&%qjPa5G8-X5>*Wqyjx3X#M zoY31{YR#d1`k#gRavKwtr&*4W1 zvbab#lco)_sFgZ9)7R8}8C8!68uUSyd&lrNgp7=%7~8V_EQBAa0+UG~ zOD~udK>tNx$Py#ZDN=rpRR2`=8U0NOQ5xA3GBN3T+kj`b*UlV-<>x>K5&v6dnHxAD zeq^2hfj;y=jeq-@8$fXZ*fMoLl$icH`d4lI)i(a>3xACaza0sa(B5DhQmMsNCmI+; z4pP7QWq}C20W45^xdztb9Y4FdA&5pGsEeQ>!g?p$s2%S@CfQ4c3wSfW+93Bvw&IJG zrlPcdsc_ulJQ%G!mn1%*qdx5FKY18=D%Nc2xULVRqe`rUonpR@FWS}I_g)Tu?%%6~ z#@H3DC;f=)0n-U>Y3iN+u}FCEdX3NS1ni>?lx_F~oGuz4cQJVQ@D5dfH8sjAA23b5 zDZN@dm{Dd$t38parE5)XV8xU^jmZqpJCQuE%Bu?@C_Ry|E3&pp>5Ra>fW_qI%YiXZ zd?r7*Dm*}(jGZ}B;Gxy~~EJ6_3) zmiM3zG%%P=+4NBt6R~xQw^H(iAYjIO`lAMgaW*i=rX`cc9@qDW@wr}f^4{mOtf*#| zS60TaS6Zv`M!sXzWYkH>>wI;#Rm8A&3MeM&Cr4vb}AH5^B z5MpfC=R67ziGsWQyzYlGw*#SAmwonbe zW>O29#2PR2OM`D2L-|E#Q(-(ltK2@FQwK+9O-Uk@w2B`g5-^dR&MQ84wiM6udDXP^&VpM8mPi^`^>De# z1;(bOI^xxiEr)bi zqRrVy+C8JW6CT3~EZ9pXNzjVCg?<1hAiI!;tY_sj(_mocCt`Hv@kQkni8)!U&K&wh zy1AL!We4g_WzreTxVs+Uk?J zuFvB(yx+{I;u$_SqRDl2b29YRN&T>PrS@!&HJE7bo}3&UyoFRRij*v-PRmC!&vr1F z0+2Z^sPD~_Zx$(Q)Uch$F+?|rU#?~Inz(8&S8)f>`1!9gBxGD^e+S*t5YIt$jAt%F z&xx6E2bU6Zq^Y9-MRepjRo}3=AEA3t@@~jcm&;(nRJ&)t1u>R z2*X;JHjReVRXQ8~E!B5WnL4+WNHRBW(+oaO2oyCDQ~$fN@p#9%o875x8emQ$8xl@$ z7;538KIY4vJzX@#(EJLw(AoLSM4erh$+EyZ<+36KtliZa1L0cR=34U49HXbGbo*rE z9EphKO!9^JpUmKvWfwFVSCom&)BDTSnjv_u8k7^kSdIK{oB45c`_rd*9`y2f5dR+SU$q=@%U4;AZhlhv}%y?u&z5;ssTR# zRn(e>9B=Zy<8q(5Q}tuwqq_#;Z1C`QTK(d^r-o-39i3&$H_!glxuZwmW34M4`H{oQ z5zkCD_Xx%MMLlc9mn6A8M?15S28)$A9<`O2v5XoGx2$jqKY8YK5l-BTJuPy~Ijhrq zPbPA!?$bF2c;}GYj-@$m(%R7^;Nb~nb1_P|aa zoD@>N-G8lJej1v9gL)LH9Vvo1cXR!aX0`W?XLG2Ph^)-Nz0R;H=N)!jeh*ta3ssn= z80i}5I|xA&g}`7!2K7Drgnj5^wOy9%Kxkoo^1{!Cn~%ajwK&r9>A9WVfyYg7m`nKxXgrzldyG|Tvv~pckt!PgYl08{K*yBG*nB!y3YywJ8{}EO2 zoUZbC0GA9t_$x|CLqN3Ge|wkuGhO(9Tenka-!Zw_jAx)2dl9;S`mPG+WB8W+dytyT zojbT7Jp_W=7r0kuI{VCe@D}a9yN|1mkC*aT|$8+!I+Pw{O ze*eB7`Cck*nASLm_k*U389P_1KTRSFGb2op`(h2?ADk>cl**YsYDbyuBNK;4uj;Aw z)-3-HDsP}iAJDSEWJ>(#+SiyA*i&Mz7Gk;CF1$YkdBKC#w!U>_aC{^O3{_&T(Gl+H zEAMLEz%C?0UeCyHdS*#neUa$z6lX96SB~ zT2g|OF^_Ug09#-Zmw}{4DETA% z!^iW7hC`d4!d>)>Yx41f73WD=ItYyfK78A|S1=!1HbR_G^upPYYm3k76B4eU$2AR? zYrGFgmsNRu!pU2=eohDm6sia5hm&gP4&FWCj+#?Tc73Z0#p|KBRv~r0RLy(Ws-9D8cF7|i9rqBs`_Oe@ zU38zsexE?3k`OsYU`z;5)d$_BPxgkqmdc`E*Qy;TJ$;p5JH5cn;>Bma<%BgOC$U?I zEM^y5A7a7-Lo_!t5xq#k?B(rqS4%+82oJHWQs>%L9aNnyX=+J6 z0X;-Gn|YBb3fG|RI4a(`46q!ZaBPucP0ERM+M<`pY|?JY=~TEEt4?wR=}9Ou`_AGJ zu0Ba4lv7tMo2DZDBk|OxjYYw3`HU3* z91(@z0EKKB1sR2yRy!6YN`4LuA=q|sbsJS1m;P&2WrAM3p1BuXb4LoyDfQw*b`Yqv=(sz zQjQ1hiRlsP)v_K>Q*DIh=sjhiYaHeTZ@t7Q6vXw(CAVe?DN0V%XXA^@(_R3N3X|WL z29t&J0lbM=S@fv3efVTFCxC@qXGSG#j9U=%Ff#GnLR8>@E<*&yyycO|wO6M!I-$*; zL@t>9!e&9k(}W`)cjL*>^I#abV4RotGjQeeASe!=DN_-Ky%U(Ekz%qK?FN>mS{D*O z#cDk--4b$9c3mQ_%gu^nwgGkIyrTAm_?LKN6ila*&-Ib*_tV^)%=Wjl7a>yb zo5xyT$^zwrrH8ZT5ZoL%U>~rW3(OQ$cd(r7$LCf8#*KWXlo7+t+6 zJ}weuc4=;a^szEsp_-+JsEdOjd16jZ+?dFre$DA|^5s6{k()_JNc(koTePL$FsNF<3Eco0FZw#`IMadv>kLN!@op^b8UXP%7_xrOvne}wpx z)!^_xn5n3{^;+fHB6 zhZksyzoDryY-E4h#H)CVGzPKNtj%~iYJw5RaE(gZrv!Z-TeJV=W|XS zTbs+!A}2+8+`&DT!CBELJKphV*db(1<^w2Z&K_L>(9Hz0WWwBwa*cVO9=3zkK-<8o zPp3GK1qN-KYPPZ*Srx2o93SexgW`s+EFTUp5VPWMW{=iI5eWhY@E_Y2ebj2K;UrB4 zqq4d1T$QBAx)gh~J(!h5Hyb)eFe={VnBZ<%lR?EFQ32B`m+ER!6@J_yYfo{N=xfQi zl_h*pWli)i#=5Y{A3(+so=JbdDz_xjixu+Pr^4%E)X>`lxOy!G79yZ;%$!|C_LXwh zWvxSn135dvgjvIWChPTKe)dT1Z#>>&>S@4pz&Udcym8Rj<8IUydS8VhNd{xN!jtff zCXv8`_!T_mw-@!UFP~RD6&}Y^4Vd3`gjmpi6c~9^PK1eps3aHOvol(~ot}UJ7-wN^ zK%gx2&$d6xBl8dDb@)Hf+D~D%-zN~PuK$19JMXBbwrvlGt`b2IQ3%yUL3;01lqyX? zx}YGP6X``E6hV3wI7W&Xnj%dgw4fje(v?u8_bOeAgn)N*-gxh#;~vksj^}x2yvtu1 z$=G{k?YZ|_Yp%KH@0%~1DBt>yZ!tXp$~)X08HBeYBAG?EAfK2gfO>~A@Fme{fIIbQ zCvrP_6}Xtg9}eyD|Kf4@=g=Ez+ik!%em+?8lMn`^1pfB6=MRVQ?+ouB10(?o$A7T} z3pXQM8f(V3DP2#ZZ$ zD}DJs134^w?BbB390!GX`zU{$jFHf;N4;pQp}`v==lMi*nWHz|scW_E6}Xctt^jld-N!Q9r-Cg@0>VaZB&N+K%PY@p?K5`F53aA5S% zDAk%%BP`XWO|)QR*8_h7z4t1AB%Iw-QwupYRra#GfUS#G*z5T+H#OP4Esj%)Qyp|I zl-_Pz;fiVFYCb$R3s+pO6b2-X4qo6;wz>}|ZxF0n$?dnkkHT&o6+T+93}2?_g{isE zswyQfYK5T+?pjBc8e*8O+yuQgTiyk)nECuF;N|Pir#Unz&lqljr5VmcnDqnzTC#$V zSD*XxR{GG`AJ51sF1P8dAy00SlnhdDDLXBpnO1Lv(Z67hJcp?a8z^mE<=%uU zZ#kZEVKR)OAblq`iN)5UZL`&~eO_saz;fjYV)^ZwYacY!dRU&|FGsrWoiq+)$jh?} zcP|p+b&sZQ;m~k>rLs_`X$fl^zUbHeoR3Ex{PY7NAG~83qbYg0d zf`+m>+Ah;)45HRp5etVqW~FXQE{jkqJ`-lH`5I6F#2+lt~L4MyWI*_9MZPhDl6SM0Go9dK= z4C)dmSUy(60>p0)dM)BRw!Ua2{D=%6(L1s+0}!Fo+vMsxfc?QN^FG%Ne9A{wG)UcfI{&ycXr5n_z;KVRY=zk4NnuS^MYKar>rNX_Qs+d z#ixx|I5J?Ie`Wxhwu+WD1|VF%fT{gE0L+)27)A}%_5|U;Js(c^hB!asq4^u-V{))b zstA|<{JE{o{;V{TjpS6vl37^fX2M{0dMzlr;n%S5-!)rpWh?kM7vOd9>VBjC9v&e0 zcd>(XPkOFFUz>+a%B{&-hzeVh_Zzf-yx&bwGNrchsc(qdKTkG&z|H!-`e=af`d7+X zzM24y^uGEk_ZFiEE@PtVxv`&;&t-M#($&`bbPz})URO%Z-bvQqXc*#UnPy4Ua_L;T zE1Q4E8QBEaE`Y@Gu4dJ(q*uc9$v_<}Ul^ivgFcbyNs85R|gBH z&4R@|iKDvvR8d0$93!~I=^I9y2C(aS*T@Qn;2rqZ<5vB)ceTfwP{B%37qSH^pRx*) zgA6vCCXhUiSu)btd|Ep2(QFf_D$OF;GQ>~wN-~plB>cUSF7R^qIU|=jH>R#}*=4e6 z6R}Vl-PZ5E^hsqP^IxbuOJ|Rj65yh)vx7R{;~bTdlco?5+{nYR8yn+>N4F~c zpBSs34!NraD|{Q<=5|uCHG_=sNG;129kJ7#QqW>nfV7DwICdMESsz-hJeU!|*P-QO z?;Cb{4&H(f#NoeyT4(T3M`^S_m&b`Fn&7p?fVV*!;3fIm1$p8-^oW4P>C%T~$s@(hFfHlIeX^#f+ zS{lH+Gw-iNfXwAs=Mz7mf(a9Vc&FTV1OyO4%q!70Y3pSBYc`$i>)(idpOs29aYXxz z4mfR02@maO+a=gv*+?~4@;KOuME9r`Pwx2vt^*Ohh%?*GT$idwU3H`Gg@fK-d!7zC0!gI;-#ia$h?} zQjZcnFTo|lh6%h{k*brMSsvL5R%E#N(!9B#m7r#@*4w%w-G0|A6L){(vnY-!>GEwg zpK%?YlpDf}Z_+EeuAeGTl(bGsKXH0H;FkzKb0`0I;4tQEJvT-55&fMnjO}9$j)3_c zJRhQT$`^;yl9K~2WO~4XbdJy}AP2}4@pfsblf7SsPMe0-%EAvcuaXgFFcW$%6aW|~ zK-1rvdl55@W0uUQuA7=Q(dc^=&z1F*Rmos!j-^$RkxHjwYQ&kvrVH%qnFC{DfK3SX z4tzK6UVgzG4p4mzM-9Kq-cD&dHH}P6K~;GU=v0RtS$3RhtDYuogOGbRFZiOS7bK>u z$*$Z96?!Dj)4*dyED*qdpF2E#Ir%;o6N|?(pt-@kCQ>|QiE5Lx9qzG-y!pB{& z3T<%Na*D!qBfdke%^@(W!wFSJZ$=<52aZ^Z_8awqD;OyjtT*!L|A=Pmw_gS8duJ|RBG$ZC!*@FP5m@p+@H};{k{p zR%L)GWt0<>j3#3wtJWOPWwgIq9E??^4IWmMbue6FqK%VX;^Yt^SaM3fEiqlZ;mBEU z6qK4~%@`borYgYc#Z<>qZKlN%9nsJMQS%96vvnS~co&2gaFy6>gqt!i(h_!=wyq6^ zJfw+O)TqM&?9C+ zG^=FM+v`9DmUVBlX$|!D=~8vy9n~&#L)Vyo*E0SA@>pl7*X?q|N>Tc3X}>aM)2J7W z7}@tE>U%3kb*{Mw01R{RR6wz11KF{QsU9b>EP9f8lJz>DpTdWG)hde0Sd3svFIdB& zl&soRV0?^t4b#K(i31v|r}5{U?ex)=CM%@;#$uQlVGQvnv@9n{hf7r|sa(2i`G_%X zQvK;w&wv5->P})R)9qJQ2|Smg21qp~K_tYktkDkRaUJy%fggFZ%w|WdQu2)E2~Kr3 zo9YE5`~tex0(J&KjL(o(DdWl*d6%4d5u|Ph&+NoQUdvX#4P9M+i}-*>54Ks7^Y^no zk?rG~%UUI!mM<$5xt)_5pDp4bxOv*%@=o+cTL&rmoS_tr9(6kXt3~|LXC(_)%bgN-$Fw8BlNM04i>^?L z=$mV_MuAO^D0HrKP}>+LwmxoMt7YnV4oVD^Y%z#5mA$emlQy<9U~lik!L4DI@=NNb z%H2K#{4(2;J{cp3_%?uhsHwU&&Zvs(*@nK?*->qtG;RV_kph_yRjmWbH-ddlW=c)p z2?zI-Y_rAnE?^a;64x4FpJ*gRD0*rJrB^s9q&e$*QqLr5U>Db0)X*_j@UkYTGUU7x z&kbT_O@)#uAHTd2%6^j%w*37jhDL@Vz6KMe<+e%ir&gCGL)$%NDyIGEAN(8e!-KdX zx^L>Q>HP;slcI%d3VWB>kdVYMdjoBHh}SttLMDvSZ(^C(%;>`t|A(&z64O340>J-T zw?-gWOzA5KF~G|wc=R=h_-i8bZ?)DATey5^hyNmU|F78L%y(hPIZu9GruLsgu>4pR zxIYiveRf|nA~`g_%bUB)kMc2D7^wG25gu7J%e7uz{_IiNOfm zBEi5U!9cYE^yqbBWBla<{PPFn7A6)p4(@HdJNW1uV8p;J3{1>hSeV$@SXk)0ebK)I zSR~k_4|%0=$ka@58J)=a0%EgnGd-*LPN6=u&&+S?9Ef*^@*WlSeU?Y8Y>%G^2nq>{ zh>FQPmz9%OP<-)PLsLszM_13x+``hz+Q!z!)y>_*)5|;PeQ?N!kD+04@t+bBlRhVZ z$iZO?&O>)7nFSVE4t@jeFOdDm01NytLH0MmeuoPI5MW}UHxH8p z00C!WY}owgwa)qKK)TRA6a|aXPmz@zND^dNv;b^29w zJ9ex+&Sb>KWl1xL%02Q|5Z%xjzqHIbRf^_NqRi)9Rdm;Fu(V`tXb-DB?ku<60#)vT zet`;6z8Upg+0tFaGcqr+BDtBFP zxHf4#xq6iEBgASRJu;kjith$uzl8jFX;;6+U9F?E;sr137BI)Cd#deW?;V}z0I`^Z z3_{dUK(jjvxVDYnt{=E0+60~L&ZB@x_0z_T_4U=Y2S2Z%QpRg8)d*AOI>Gkc#KZTA zs|G2i+wZ$xkn$+dDM;eDXuGE9;?#|Eeb`347H{*R7yg6-nlx&zWo=Qw-#?=S;pwjQ zkRixm^n2`CJx@S#bkQR|pF8%&HnT`y6;iPEj?Xa);E$~ufw3Kv5uAR5ElcA} zN#rwaFO>bNjxhNkY7jWzQ?Nh#6<$>{Rcq!2=P)++v4~y;g5{V4Vl#>aL4UVB#bbG; z7g7`XwZiJp7YYVjCeBMwwP|%2 z2B(qO9R<+t^3RBVgu-=AHs)QiQx9au;zUj&+j?kr0;R&FNkWM9gQbk&T9vP5dIWLDhRNjmKaLU+tD@;sBY-Yj!EvB@ozI>Apc9pBXYiJNlhu?uw zj#QOu&fE-p_?DtovcQ|H>cpFUR!pW6ZC_cTy&G>7@Hq~CvVoLm&$Kz5vU94ORw7ro zsYuo-!pIvCWj$}!D{`{%Y+`8gq0wDQbWOTP_Pomk{Mj%%l`nqKENsU*t3FUm;_xol z&UQKJfJy^gZses)?oatNDepo_RU=u>oyMJ=rYvS}w@v%6fdbm^LoBta0qra`)f9a+ z=|g%sZ+z!hoGwG+vGWToD{bJ~VtTEUVZ_7W$fsmHsvxq7~5*UakOP87omT!!P; z(An_k(ybRM)d5kHTZXgbWt5_j+tW(cXO1a~q$F@~+hCRI<8|=>R%Y)g*r=N9-5DEf zay5lNrQpA(1w@Y>x`qaF{N()au&oa@Gs#OuUfc)Rax&zuBWW*%SFC~TC|{aG0heF% zv1o@3(O9#_RQV6w(E~QM*5h}}HP(NA$ZYgB6936J9?kwKypX<-T(y_8tk?VTN5%&^t{F$Is(p|Se|lN|zg|ZULk93bf@mWL@Fnm2TSr(C z1xPSoPh4AL9KZg(^Vg{|afklKjN=4KXkgW zwP3kjt2p(rT~r`(J3Xug1-x%oMFHu;ptGMS;6MY?YFvN<252&_Rw3ubi^#F>=w6$f zuRO_h#C-Nw&?5H;3RsUExH)XT)}-H0+CTwE9qY&oW8{QfII3$-_>`?j)^3_0UR|HZBSP5&th)bQ}CYHnOkRk;A1# z;k&d2Rrki=_^j(-+i+P*9{Xe~^!}%`{89>a`Z^SFGK2z-nY1=@L2f8u3vJf_l7sUz zXNR#7Yy4FjX}~B3u6>k{i%1O&XY^UkihgPDp7DlWbw;MO7Kzc8@M0RJ6+5kh*f+EE z&cmV|3F*RLU*2SN^cCnSa{l~|se@-o`*nd>nqh_Bw*4SIqh!NRWLUyD-zMJHNq@Q# zI#xy7MZQju(>w=CusZL*(mZf@Z&Fva-%)`%x%uiPxQt<1pb(>5gPOIlfG(-58FGO+ zzgjShwDRE&J+>Ca-@+@86A!_e1Gh;C~q!rW&BE$ z(K=VTe+nV0_Wg&;NZ5J~yk`8J_EMUX+I~l69e6j1*3N!EIMILti(6#2!zuMZleDw_ zenH^1Qm(8`Nl#v0m0bZ>$*oRTT^&+?q6UDLKL3f~g`aWBeHaq5;&GY|+CQGV7j0BC zY8E&eOB-=ew`7?4>6P4ChYzL}(?Ms*+Ws|STd&k1zx6vyvRd~u1%RSsan!wxM&o{Z zUcRS{LHG|u$)iva{SrLrY3~AK52Uk6p&iLh}#Lt3RBKFjH^`axzd{2a~+?J|c2 zBSA(ZW}^Z<3AM0zar0O5Dz_OHf=$hGYL3z4nYV5L7~)nksFBi+)i$kvK0krh0rA4c>%UW5Gl9a zx+k@w&4vOT_A}a`RvJk^5Qzm=ML$TV`wCiEc)20{C4LN=s}oac&Cb zg3V!$iZlwQSY~ypm6U+*bYjDL)0Y=S=RhyFq@aAHk+T9yR`ud7HB4sE)moJ!6bpllJN6M;mxwuDuX#$C(}W>p}`JKMXF1f z`|wgz&ck$?U{0)xpT+HXas-%!x0h@38&^v`)DVrm>`n|Uj8+(vMAD-Zc-SE&HLWE@ z`fbLqVlEyj98L#B#PLqRp&Z`!P?p{=VR^qs<-+L`cXfzBSQOuvCHH+&CsfCl$K|=l zSt_GX3NF$EWL=ENuRKzG)*;ru(Igij1WiNVl^>+BpFi5+#fIITn3W{Xz75rMiSe&$ zvJ^N0zZq2jw>4b^==#0jz$Mc7hBc(hPFx-Z#Dt&~mvIjY$lV{rftlDEG1-BiZ`9dm z2<7<|-&a_E6G|*8T)RLvskP&bq)uR%kdQWWd^Rt*WdO|F3-+IsFQj6cKFG&n?HJa# z6}q&~$yK!Rl{k1Fx?cKG=Bv64+a`Z1F?(5=s!@;v{D3l<(Wd%LtbKOIikWod{<3T8 z1EFB5OKn{lO!hY8LxON*GZ=K7EmqGxYkW3=0-jMQ{i|P-`&XcGk1Yz*XZJ!-TOzh1 z=b7GE6^OL!WAR`SORtdVc;M)iy9r(~AKqk9yec&>5_js}n9FRatW^Wke%uYWC#HyK z>fC*b_2z1jJ*8rn8U9+o5WFAEp(>N{;@wE61AQ_(*dQR)D$bFeQitno6aW4TBONou zdB-*ZNrtg)={VP=>m)p8>AA_hxSnW(TZ$5|Df-jH)^?$JK3~EyA% zAia@srZ^?*z?^QXgqMYBy5iB^GPOCfE=L{e;PF$BTlcE0W1m|+arVA^Z8Rrqhf8_b z&GU@|C1+@C_%*dHODG2CLfJ$1@iw)th zyp`H1qIUHCNLPg2cc1-BZJ-y$eY?jWg{DmuDxW(;R7S4~?PCkH18t1-1(mz%Ll!3< z`PUAq>BLM)Bpr4QiC6@J9;YziVqS!mRv$tv_+;(G3|8MA{)Bk)_lvIY7rdz*R@1$d zP^Kseq?3+G(2B?(3TVNK4;#$A9kzb+3I+H=jvwk8F{9}ad*B-Lw+%0GK^8)qnlFh< z%Sj605;~q? zTfOyOlx~4yS-5JyPB4k_ElKjI8ESZ4IHy!#I4kWLd!arpyGD-S(TJL>niS~fa=WoT zpH`xsGXPsLr+mWYC05v0Sa?uVF1=`TSm0xwcI;t~&{xvC+^g<<0+q5uyByE9AmVg} z(q3K;CU5Pz%nz5a9=|2)7NL{uDkFRGtqE4q7_)KIEj)Ru_!hhp@$xD}r^2kU?q?o8L+5}B`{iXRcBhAt<)Uau;){$lLgaD79N&h-xdYJ6Z{ z83nXRGKL-9SgF*cpE6h-^}ieQ9vY;^az8a;;B)(nHkMe@^GY9hOlUDS$K3h|tsmPFm+WF2TuDo;-#<9MxY z&^(@Q1PPecpVOah*uY9b;1Q@3kih(LX>Vjz4ep&jKixl%!snFoEN71WLY;7%2=B>@ z64&naurRRL;<2yITY;@jELvp)gO0PxS4%@i&4P04dLC<;VmCGct(19L{KJHtR*cB#i0wxO0k9Wu@4Tk+K5 zuD_=n7HRX1ZHJD+W9i2m+?-Xa^?T>{I~u+uEW^_;VbeVa!iD8h&6V}(A`gz_>&(U6 zd#pKwc;FeV@dG^_qLN}7Un0v2$P7xywYB*Tta~uxsLrAVtQazmzKmH6xf>1HZOnSz zAT#(u(B@TS({f{WEgeYFrs3(xjNVU)5*io$8VfZB+PRZ?C5wgk-(RoJC9Eqyk8K&k_3;AMC;hNzXYi)0|zqhc_+Rm^ZGjkmKdS z%=vb(*pVNm6Cb^0c-Lt>zi8A^0B}jcxVT@+|9ToE>|oU8Ud|vTA}SU z^kL~4#fIRCf$;U?OXP>p)OSwDcZ!H+A(y{Uz$HnE+aJtw;}@Q7pVVY;-3ePqO6H*e zM-=cRF&n+IXdB23=%+uInk+d1n&p81mmB-P(1_!aRs-2nGX~v`%A?K-(k|FD6*vq4 z-t87Le;nUnz;@gonrZW8QWdU`>xo<`Zl{xq;DHb(5S`vFxIPyAIfp-_bT_ z`ehQ5U>9`03Ml5DdngSlH6~O)a{BN^j++V65~U(pri~^!wV;~vPV$$6BMxXTxFcd+?=3*!C(u|c;wT2 zpnam7+geGVYO#_;L|40!RY{ZwhEMlZ0+#)#RlPgOl*e+!?A*Ux4dqc6YDCP-C9fW9 zLr}o&xp)*Hm2p9W4%9`T%N=K2pwIhV(MZ8V(B>NZMb26Cp(F~}@utgIL|S3UdZ2*) z$PLgD+8Gf`e{GHSX*i%AH5sbcA5p-v{AFzz()woaI_S#igVi}CxkU|qg1Tn%R=vK2 ztf1|$`=CXdVaPg~RT)9&L&!4I<}V;06u^L-$eKdZuQ`(cTPqTPlzc8dgesI3>v;DcdN3MY z{NvD$3h96BTTR|8YDQQE&a2ed9a1qzlSHtYW>p;3rALT+OB?fxW=N%yj zh@=7 zVU$|&S^F_P&I<1j|4d^g09SXQP!$qIX zp?Z%o5^l1*P{31h6mYdmgcO(myJy%AJ*ECP;TeaL|2YGCU;o6zKhgJ}c=#WO2T#x% zZXx6^A`5QkM7NqN%u8zaMKBhRN`#3Ks-^k?1+3@~qrJra+&920oXG$2p(#zTJyM#F znRkYj9$uA9daxq=InV|(pr&&s^>~O=aLbnv{EW9~09iIGZMl)|c-u&HouWeivllkG zrkQ7`H>bIloXID%p_`{?nfL-~vcNyoH~#;&!`y<79SMR(UtSyEkWiTSxJpPaf#nWQ z@xJt5m_Bx)wP>@@wvp>(8r7;sJ8B}C}MZ!dqbl&9MrTP6Rg}*i|XIpx_YAEMjoT={Ie*T zA?B7BQz5HAA<=kN$ffo6-TBjMvl>s6M9tKn54%}1n8DAy-w+V8!?M%boT`;MS68&Y z&douq;4VCmJmyRzZ^b5xezzPrY$r47e3Vht&9c3QVI8>4D?ssW- z*LcN`s{r?rG+pZBvP!(oX+ps4+#K~d5E#am%YzOs0RJ7WG=m6j zlflvFsEJhLO8{!yy^pr~!o7`eyxP&q?hY{Y-?6Iy#4|An6+}cNBQ0!7Im=ezbyN*5 z^?jhjQ6FDPcD?MxxyL`L%?Q+j9!o~vVnNSJ-Q`)Ln(jbxuD*mAR-|NK_X%Z+hzaUp zpk#0qH=i(;C3pSmR-;J1ZFBid9RjMOiVxj}mc%c9Zt+kN2QvAaH54uh>~yt-?n z6mN5x)Fm>s0esKCVl7}~*jk-(mS3Nag7!^7Xy1sQz$+Y&zxzi1?|Og!{wIF^q>n#x z%%A-6M{N8D3pg&wKF3;P>Ih-)!rg1)fZt7LOEK2P8|!JP7t$@qLn?wq(fu8eW@DQ1oOjHA5jv{kq!50~ zn^B^DWvk`f%{rrzrUM_u>;v@w@Kl_GJqJxgydW0ZR05)2+eJx*f1n45!1h z`5yA!T}NW34q{FJ4*Ao%$nfoHAN%PQ-bXC2YdbY*59RZC-N1qgQ*QXrDvGQaEm|X% zS<`VmGx7C*AEpU5eyL-c45N`I?<5gTb4UAf&DS$p3u@}%RS}9V60fq}WaT<$#t)jG zW#ayhc1;c2OB>F>W;aQx-1Y~vJopwTWKp4N}E|_KT=4Dt4`=ej^XeZ zT>J$s#p9Rx86Lv%V2GVSy~o=q3p4lxa9l8LJT)f}Zs&ouL;d4p?%k?OTGvdx>fiC` zMh?vWP7m)_?`^33kq9&sN<0HO9~~kFr;H3$9m~2ByGk8v`kjA_=fVzfl3nt?7pBxK zz*A#F7T;Srim-QY#maxaFaA3gv}(o#u7osen_&UT9swLbbIZ$F^JEB%qdg$BbI)Jt zy_IsRk%{>sYBC0TP=x{c13W)8MmT3o)^p{cw_KpA4o{N7TN zpUdn)DSzkkQ_4R)`e)ODRJ@59#j=qM2kFm;S|PF~abD{pEt|gBN)Dy6lB)=NIOU)` zZMY+x?R!Fq^V3!N+AV~?z#qUa76c1I6Ib2vWiW->KfSD1^2SWHLgZK1S2u?DRn>%f z9z`CAm}I;R1LFTn`1mg)@_)m?ptH_F6!60B?`Tb1)NWavrlclIC~2^hV+TyvR#Bcf zd`oU7gcY8LvF7>*4$&|)erY`?I|?RnDqA-ZTai%VD^rT=)j;@t-rW9bpKh< z+iBQv6m1J+{Jw#u$K#AC8X@De(6tbS+1_sF_kjgiZ#R7hY|HP3a&iftjBuvoEno4g zOpx?bJ-!>5OEdrl-u{7HH3h*!N-mCHf=iy!K8&?g&x)2#U6vYSo!&-vaUmygr$Sp& zdTIDmeYcm($uWffq7?ozT+>*4gegqaSglHD#k6oo%)gD6n9xhKc%u|8E!JOJ2QpLk zI9hRk$BK%9^tIXNw3*v) zC&%jLPQOd4%do%T9~fo*Lqw?`VqY@t@OhHlP??_K;rrwcJ{nM-p;l&wzC=^cAIZpAvd=N8DFqv`~Qc+o3@Y=HSG4o+C)V&&#=OafY*sLqTlsCprbQtt|ckF`Oja9 zB_T%mGW843;=fHt?>QL-$x2zFBSD7kV9pzN5w>f=A_bG=iQ9m z@Y#+OtQ}@Q9qdZYp$n!a?JvEx`{N~#ikzq_g5O`p8QoRtH5|(9?2c}XjUb$v@Rh|w zCwK*Ei?B=L>xEtZq~;*kpSG|OsE5}n2R8F~XTLT7)eQ;njt>6)cgaxnp-7ka>&glwk4me_6@Ggv_D;JaAEeosY? zC8onOymb^%uEXzXrz50i#Bt{)9igO~8N4{adSiOwU*0QrY5F{`IZ=X-KM;4b_@b|98aaa@66t3yl@aN# zzA^rKmZf*x{m?-EjK%X)-3=Z!g=HE#C(p3m%pV<+w0oW5x>F!;AHVt4AcdEagxs2^ zZ8<1I+VI{7f$2ywU$g%Avb1Ld91J9Z?+G2nT%icI=94o>jQ-^n3g|`0{AKR^#yx*% z_fdey0eyd(f}AWTK+#?5-JiVFsCRgmdXKYQA}x-y%_g!W=m+iD4SQ*Ja83<>z=t1t z=;Rl zJT2P|^qVHMF5s~or)^?Lc$C8XEGNCtqtQqhSn0WHsuZ>tlyHp;Sw^En*oP)Me}EDMz$WfGP12Vd6@ta8f8AAR zBUBV`k?`2*)2Q1o`>O7v)7r%{Y+8LK{}~{C*sV?^BFP^O^~NSQ{tJ=1Bb)XPMVs%~ zBxyZ5^{Ka6NOVrteLzY$D1VCqK*Idri7%;&*gepow?z(J8BbM8%r<-2-%LAwgL%`D z8|#N5bQZK*FC(;vZ9$fC+J=U^Qe7jFanHO(XsSc#)XDKf`3_LrdsH^j@G0`6x z>i_fgKgjHPN{S}c+fUdt&QFtWeq0yp{UO5#s9$Y9OF~|tBP~OJyBhuUiVwtz0vejn z22g-e^zWCs+5Sw2^H)9S$_I2h|F7RKH(#*b`g6#i82gi8{^XZG#l=4h&OfE)pUUEY zm#!>oZ*f8a%Jk^GW5Fy9bjD#~#y=JPJ^e6*j%@s^Wqvv6LJoe0>CO^c?btc)WU%!X z=~KTgURmc}Q1~9e--(mVnJXr_nmf++FvR9L-*mxkXF@9Or_!A&IifpSWpC{%56a&@ zQb0Q&Ih>0gGtd#?GDMu*h?zXBtoyPnp7zZ8bE{$)mBxE5CYn%*_`s*XaFluPqf;y% z{#Nr$YaH&z-bbeCwN#VT(=?J7c>64^#5tFo!4>NR=&Y-BmR++katF! z%WPW7<3g*ByfUkLIK@=to#m3jVgA^#=Q-d0q8W-C(=$_Nn&^; zKTNQ=8Jo8KF=m6(6TE*IPB5i$3R=G%-nx3cm#d@piTy*1k<4xtVwdT;|?v|w-Ut4DUF+$v0$Mu)#rp(|Y?=@JUxV!&wjk%X z6gO^MjrZlzhG+;mI=kgxYc7W~{msN+Xu}3}y^V8oLd^~bi*%}M7jAi@OYxWSA`5{S zWnULNoCKp8Js5h$@@675$}6&(;vPbVCT8`}vp>c$7R_7u)2el5a&LFw`} z5SKkjwZwPl@`LP+JJ0KO#Auybno01x@F~u+a?rPRi%1F?93Fd8E)T$2WybtKy8+}? zJa-P)wh?64j}&EsTMvsEV~J5>h4Ex&imTuPv9aq8oWiiiye(n)gD1ns^;1(0V9wp_#z>vugruKSTyu+` zR=mxl^=51KS7GBtJ}%-8)r}#{>GN3jo|6fVErB8;Oij4Ug7Y7a>vv>f_~B0{z;DMx zUTx>L&1wgNq;g;^c_Amr=JE~lYeUYy^!NuwV2+}j3^9Y3AKUOA;*zpsjDneuW@X>Z z+iH7|&f9*SRX&v|)}7SPe)%(4OOur6j=Yw;v15%W#q>=aQH5_r$Nl-9!)jhu_J}v@ z@$G6Ke$;6;#e(x>tto$w4J()u&a<;SyiQ%Y{vna>GolB|xbO=l6K}NQm1&H#*^N7-@yqVqgRn#4&F3GpwG>*Ww zN-Vt^ra#h^KA#w#kqu@_B5&Z|96mf;vG$IaSR~;aM*;P+22aq*M(c5% z2heHdBV&z*=H7K}r9_1A)Xv$vCiB-u^gGHjuXUHgyDh#}+dTAgp7+`hli_8>#Jozl z<5_mDkH;KxtN&X&{qC%Af7GqWQfExe!9yOeqBqrULknMP_mM@Q#5tP;%RnJM^SFi5 z3#>Tr2Pcfv&%XY+y`P_}P7__#L9kD&IN|*b!KYo$avy&O5sUV1}oC&W2l6D zv7uf=Vq%487~AtJGaCZu3i18S!0%75a?-uW^U7+mVx}L*ma!%~mt&V^3yCseExccO z6C&YJ%*d?68UiBN9AZAAUg0%-7GZEAp6Dn)NUND*m;82za-8U{t>T@)TcO|qBULGP zMNx@SWohWWrSPCH-p%N=?Ur9wL}bRYZ^MgU^cP`vdn9kDBr5VVK{aHMF!Ra0!U(K+m z!@34CcNSG>Jfoc?P(ZcQxu*WCw)&UOSE*Gb-yOWGyO;je~ zD{%+AX<6dc-#p>qH2^bvoug^ptK{wn_?OuR?joxEl!4fHzeIh%qnU7&P)yw*tbexN z%j@!H;R0ccuIRJ(`5qLLPzt^-fUthFk<+xMj#6obZ7UpC{a5~&B@>!M<@gj>_>|NVVe2uu1 zqF|};J+KRFFieI?p|YCGM3XC*xc&M00A{NC^t7y zu2Hf?Zv4c+Q2sh)*|E|$-{ytST9>1j z#_y|^?F1f}yGyw|8y|kri(5w@<38hARCS}Lb)b2YP$?H@&_la>WMv)kEE&IRW(G;8 zniaEA9Z8CoueZxenKZ0V!)yH6R9>X2{#@B7!i4GYboAAn>#NVMF=xHszeTO_B<9_A z6hP~?rziT_!*_4G@hZ0GwX836=oD@$Dcm;U;gUN%Em{$ypqgYM^eb>3tLaXY(~!Ke z-cYpOl}d>Pb{%|bmoa&=2ft$>>*X6BTzcLeP0mlcvx4o-Au#LNP!`!yDIL}#y!9Qd zt2=H7V&Sc4Qq*JAi~Sw?ABiJQsC7f6k0rF6UpWuiY&P_f=jW7+-()1k>P@uiz3~;}Ophbrv!gVp^u+j8QD{P6{;(oW3Cx?Ok*Ar!HN)lNY*9BklJg__R2? zABd5Y;4ZnH3CI)Ihg;z?v9B+F^_4DxC-H4kcFb-4(2MU-5IF*W$D$3qox%{UCZjPE zU!7h^R+v3@0=H^xyaO&b4#(yil6E(b)lf7Mr%re(p2*`-xE|+>%^}6mR09^%)_J>Q zzYy9M_w*lrN8!}om4})RBQU}@>$ou2^KWAZm+ZM>T=9EW=(k%;dB6*Y*+*AJh z9ni{2#&&wd(xlMMOnFA2d=XB`nQt@q(W4V_BxH5#GCa#Ri4q}hunFgMe6Xew-Bpz^ z<-`<}mKP>^tmb@)qO^1BSqP7(a4%g+T;XN+}`)9ilv5riddf37&) zCCTmTIkpF>A_Mi;TIO_KbyW|+-s;1i#YV;S+3T+86nmlSJL@+d5@h39(`ns))_Hy^ z+84ZMa}3q+Z%v+w3w>`t+!-Hcv+M`dHE?=}MIKci`yK+)xYA#iWNqR6{Gq1Q6JCTE=XGgX5|(?Ty#|P2`7ipP zGH5y5CaIl!=)vPQPs$P}4VmLgW5p7w+|*lW*$H_^9HI5S#=Vs@=Vq@xG!aA@z_R08 zTIH^vL4EfoN1K=Te%w#}@YAy<9s7cY<^vg#^o3TKS|eh<&z0XPtu%d3wfw@B*M4^w z%5n0U1jhb~(=?IF-d?FE?c7p(Zj!dJWAA5pNqvc(r0J|mo;|sK1COe+o+CkuPH8|t z#zy3f%ZOkuN9LhbXajGl0_)Q_0eEbE0xkoNO%F!8Cu4NQ(>Ljq=r^)3q_V}XG(^q> zi>fvB>i}L0V=kSS@T82`2mO#?KR@HuBR1I0YGGrgq5~K!Noc48u6|MZgZ6`+h_lX{ zn5QcXIDQYcXe;#lm zC|z*HPIva)86Xd}xr0!$eaBs*NRUgZTb3PP@RBk$Hu|kbt!(o-*!_r8P7(5Bqd6%f z=4x6S)-dAw*`YiRznj^{!Y~W;FopdNUJSEE|pu5=v!U?PWY4zFNRa% z-S~*~{G2P=N4<#V;1e50E@m91nzV!ux!{BUBoP2xn<8ib+9m5RvrOI(_YjL!z< z>zGBkUq*~>8ct@wQnU3p)8yky;VILGe0I~-ft)IK5MEa6x#z@57|9B(Sj+o)wTY{G zh8%OV4J5YJ`=#0Lx2u*b?Zo4RooJ_3My}OYcy|g*>^)t$dkuBZ4cYk&*F2f>9-`qw|Jug5VH}Tdk zE)z&t^21rk9x8WWyzu51X#l$T&m>f#9F~YP5BY6gqT90#*CAf?5)a7G9 z88}Lyx$dLdfvn|#Ur(wiqwTzGSegQg^BOBW6bJ@I2wMPYn|^@CA29op&|RG-?%JH8 z*5os9)Ob1Fll7p`YPjstFw~wUOuR?OVxFMZCH3Rg_X}d_qLV| zR{pEqa>s$HRr1x8l?Atp60J3@hB{bn#*h2qeYWk3W}G#X3TRU+aRw=9F#YUJ?R!sc zbvzeg1k1DpkjzK8@O%oF!L?nGrDxA!vv~l%#7ddByMq{*fJ0hLw=N^P%>z;x}6 z-EfTUmEIkH4GxR3gs5$2Wu-^(BEoTZRN;v?FB`3^6hs~%^s^1m^S0v#m)N> zc2Bfk^O!e9>U+J)gX2f6W70v=#Fkp;wr(K7CtgGeD;0KKp|0y8QjosULuXm~dL$HS zrjk8zjV^mAMMPzpxIs55mnK`|TZVJP+EaKtZmZw!G`fJsBQuuT=}bpVy3v+(rR#MJ z{nc)XSZS<58}i<0m_Y(RkrdJALIBcZFQPUwoR;6`Wy+=W%llK@jLMPtE}VKmI$GrT z74G5-WkI(_Xx(-aM6F#gr?GtM%mJPiTWW(Yqh9Wb-uWD-r0>gO(HrqpbxueXcetXw z>d}GnuLA-SnF2kISk7+-qH?uB;hf?xp$N7;L*?E0(wQwY-H|+al@}PhD)Fphj{%4C znm``%`jycyDVDJ}VdH0NBiO|~v=I;C7H`=x0|sE=I}O!Ub^2v#$2>*yU(SM0nw5QQ z-Hz2{y*l%M^Kejfdv*dWZ!ryBtt;dzGVg@lDx~wzs$hysX&2`8 zEJk#QLd)K+)!WJGY_Gj0!?HvH2C9i|6yIO*55Tm(9k711uj-@RY5qn6)6cra7V?bo zRUE16K=)5VkzM{7SNugVo!djd>M|~@wM7WzQF}}vKGtj%DPBLWpoAV}3U*^~gZs4U z*Z96_!|iv~KL}3NL+op}6yKH!*TYYmuQAzQjJqk7=qK;yjx2|@`h4cfo7|-7xhl)7 zK!6(Xq&g}x52|zFP}+`h9~}fjkqi6N>12qubvHhf`9iSx2Q0F7H~Amlie9t`^R5x` zASMbkwp%YF7FIBhcftZexWAmH4fSv0#`!C;Cw)Pv|8H1?Cn|U(a(n~_SGb~A6L?;BVvmr#SZl99zct2tNmf^u{B|DxE~6| zO?Th<#A-io>S0A?|K5tCfc`^OVVQYt)FAV)9yCR)9&?pjmiFL;_IN!&ZQ9dHvC7;t z^HbM1yz6dzi`bsvCwP{oI)DNYhnq)a$GvrF{E^oBAo4VAVMpwc{qv(5Wl8%2cpSnf zl-8v?R-Ys&5L3#FqM+zJLoZNS&rYo%+y}qM&V=@Btru3dMB4WjDn4)8+K z=rY{y9&ug`Y%+3t9xJ~Hy9 zq-6eb{yJ!|f5eT>cI#F1*VxkgO87Oyx>~GH_p3~hnlqD*Dtw9$#+2GCHbWO>8#2@r z5r?xmT-AhTQO_*YxV0u&&$O;9aQ#rj~> zGfe!mgv{bq;R#J!l>PyxK1Yfv`>KMcW@X8q#o0?R5$l+VY?fT8>j@s+ zNN*+wF`7GyrBfHj5}Z5ZCCeNTm8OGql{EolpY&}zfop0t zbd8($T>-hmg! z1Trp8Ih*6EMe~%=YU$*)UNS$6Z+GC|0;%w~y9!lPj=LBtIZ$@iCG~&aWp&xXPgkX7 zqxDv^G6BC~r5xHO>mBJnBCDM)TEB43@=LsKUife^eu_jC*W+cMVh( z3V*3-<%n~NbqtuhY=nJK)^Ai=1V;=M&C7x&-%X^8LVO=6j>);S}4-@zN_ayjf_Q??xWsmx@0 z^L`#YuoNaTho{BKH1KJlHrMO9^rv-+h~0j#4bANF26;CpD>E`1MGq%S2ZVfx%zgR8 z;E1~mi9NK{Pci8^9Y7zByEzvFprK*-T2+znCV=NHkBu7kbK(aYg|2>}Uu<@_%7bz* z9R0c<>w-984Tf9w2>}fLe0bkG1=T&kc{GN}_NSy0`gc!Lm!fa(D4{>YL!4EZOB#d6cj9pg(w83l;s|?zQwQh*DG{sfThw zf??n*wr_0IfmHGjUjzk3IXcB6N)#8BUU4i1dW|FS^Xd{s*Wz3rKXvC?H`T!TVRrL{ zEEr9dV{&x77x4W%`mJ1qX*O7AF7lMj4R1!`+V&nkiz*24 z$HAp|2D4&4W?nno{$gB}uvdWsSAd8T~3U zXl^NVEs;hd&$)m8amO%!dV&&?G|hSa={=#iNzThTMe`UX6E6E)+*L%rtaS&UzWX+y zYP+%bPBhP!v`?__o4_|O*<8gmDynWajUsG?880e{F}Zz}_b+AN)P*j2(LJEKSbj4Q zx$a!UDne(&4cc-zXW}crR)$XH7dbPH^xo$Qbs)~!OABLfPV{)^kF)&n+l~@z=t*$m z(h5F(g>%$tH)`a;VtJ9Phm(z)CC`-B_Va9oFr|^?+H*Z~tyPdK<1M(+w z$EbI?EGXe5vy?EmhhcK2xGQgRXv>*>H%q|FeXp;cfYp6Lz14PV4PujsgfV3p9$-5w57YE#R`&vimV zsZuvBW|6g>Fx{{F$fSHltVH+hM}eYD;e?&GU5k@%(zh{AcT~~R7uwuw$l+9{l2vB7 zDMd?c%PUXNdj2z>Ic{%?OH}I302L<4BfSy3yFsnUaN}?)IE4KdxLo;4j>=1pLGzAF zj81|{>cN*^&5KmS67>T5R?=2X-560`Br&x!Ga=nrC%8>kj$%~#WSC+egM zJG05pU!**pd6t^4*g_|tZ>v`aFTcJO|E*?zNAc}7MS&q~#c4*#0U(`uew5^{c70n$ z{DCK~VAtjYo@AQmW96J}@rb!OeN&Ni3U@r1Zo);R7xnDOmu;qfl@Am(0cMT7T(e=9 zkw3gFR5bF<#cy|Ne&5l0vtJ!)Us3#j+Pl_xrq?)br9PsPbVOysMA-;g(e)rU&WIv+ ziZCU)%zbB$M!B0sL#a-3$*tBd*<>}#h&giE(hRvw?lKfDoqwP6=A0Mj)p>cmc%FC9 zo8R+1zsvLeKHs0)I_+2pXe7E7!SuY#nQ30+d7xw??^$kU`Pw%UzDAJS9A z;&!=`=XUW5sizwo?7J^DXUH5eyi?4sieYh-SSgF~@%y?j*3+F^A?Q6dhN-=h4L6(E zpnIY6jz!-jW4mXc(8H?{eQYUziNC_@eIBOWLLIn9X!bN7RGBb$=2>#$rb#_s8w%UMF;?E7sLRuOa3% z6GhBT98+yK|J)ReFIMa*p;Hrk$=nb{f+}*va`d}Q*iBzIY>^i6JPPM=^2_G1sOVMt zDxt;oORdwhE+{l|(()j=3kHdKeM>?a?K2dW3tlE9njj2;Q(xIWTD_IJNgO=;Io=XDl4!h2?1$LuI zDi6$czv>>1_pMB)wyp@fYox zTnBeA)s;I}^M;Sx&iB+BJWT6v_t?ik_OpkMOc&`>)rIRkQzl65Tg|Uqc|!#{&seV2 z!-es7B*K`Nd1SA0>5y1d)CK_`R5as7Dt)oB%2G(jP>EBY<@{o{w3V7VMc^%jXLC+` zRDI;IXm7D|ZFysFyt=|tkF&d zr2VJ5S9%QqWr8KrRrT}_pkSC3zEr#13;mgqM@ri76V6%cG&%=S?AP-(xt_CNs@_Z^#2TrJF}scJRoCAbAxZ*?g>UQVX*2xG=&l44%}fF065^E_xW||e z_r{TiOKPMnt%gkP)(7MBh^ZO=+h-<}KHP#s4){mIK;Du# z^9XRW@-wlqv;Niz6e1!b3Ni}r>({ufWQ1g_|J$#Z4gmTqm^kPY7$|Z8G&&RvI@C)K zfCNG(9MoT4fdBr2f`);GgGYFUh=dGjQ1=D^4Fv-O4GRMY2MY^n?G1SjfJKMHAY&1M z$5b*xAa}rG^^f`fibAxi6I*%m6v$@m7=Va`^A;BmpOT82hL(<wh= zDQOi|HFXV5Eo~Fik7ni;mR3&AF0O9w9-e`pgMz<&4GE2ni%&>QO8%CTos*lFUr<<7 zTwPOJSKrXs)ZEqG)7#fSFgP?dJu^Eu|8rq+V{>bJXBWJ;e{gnwad~xpb9;CH8(&ZW zn7^_GdH*Y8|G*bIgfD1VSQuD@-}r)pc7qfcbXYht7I+L1B?Kb}OmbHLS6HGk->W(i zDcF=xv5g%kk#K-Ei>RF9pIsl^X~{_xi$_FF3sQ+2Aj zD@oSRZ`oXo6V|+ZIC(?qlb`43WI$*}aYok@pT2B8MYWI5N9C!>iN64jv@?n<7~_!% zyh14AS(Z83K(OeMk7-YIZJ+CAqDm!X7+(NGU=uNi`_(*;B1`R<&mu%=uQ6Dg<0vqz zs!{C$%Y1|v+9XSH5uV6mv3O;9=^K2E+sdD5g$@ya_V08;M;Xx@-0!^r6z_ZNc3uEz z&k`bvoo;rH=ecaa2;^VUv}1FZ92`!>z=ho9?h-9YOvRYb2IeqA)+8&WZbVUbLzP^- zp0qJ+{4^(c5ep)wK#YRv(7rSMEE{Lx6kfr#J$|>8@dLlR<{V%+?GCW9< zuyigTC0+msr+nJclf!ywdC0~5Y?DsdA|)7bRxQ7RDyb?&93KieXw zIH5lKvTj#_*>!&Vzf3Oi8lU|ZR!^O6p*@#lt zxrt$ZG+=;>OW*ubH1B$(uwbpu{iEnLZwgIzG#r+a@V{FjJetk5E0S}13M#2B?RKuz zFSVvxg<7N{G;|};4&|eFPmVwBD;VN8BuM_M=G%&eSDE!--0Vqj2cp-x^4&H0Md9@v z_85-x*zp4B;ws!0xwgBS@GW^hxj&gNQ;+Rh6h(G7Q0e#(?(g&lC6u|iLoS%OpJPTz zv~+GQ^##D}jJfiR{1|Ci(^k+a128zIEK`Y(X&7XWE#i#HDURmhc0i1zNr4^6j7 zQibEf$GaE6Ay_%I=OfLwJB^kCA@a*v3A-Y^%@2~P-M3IjSYg2$ z(eOrz`kxI?eUkHiyEt;a6Uv_Z`0JC#C`N2f`dCpN(WdGwvXJU|UGh_HC$z5x3+;yfkEYP!Q$Cx34Z)j-reC>T$obAW+#MO0uW~pFZC_z{TJhJ~_ z(;?oUr9O6y;5pqe#Q-u3wlE@>G-1hkYZ62abo2nvl~2lV7-omk0+htC{w)9J#sDg0 z^T^)at!w^1xjz-l{ju0xf z<~{UFM>4&h#DV#i1u9#LkGzHtHvjKE41# zTt+fMkq)Fz31h3t{M+{`!R-P<6&e1FZ}Z#dhgBwB)-Wwr@f)PB!fwly#@;Y9j2;F7 z;_fuixx$X>#zTJK=%HzOT;3U{DWE7?|>3K121^W{XLIki=Gjc(<~)?3x#?=d2(rB)d6Tyb8qz*Jd3x8SndE z`h&sw3xFlh?c?fN<{i<-ZPfbJjCRN2T$c-|;KXM9;dbeMt}nfOKczmrxh;KBFrzbd z++ImoS%lgi79et{J08TqK7E=v#SL0_r<@)hK!U~_O7FQ(UwAC>OVrwWN_W2cy2-;- zFBdDk0Orzl9l%Ax2+(jyAQ!YP9tJo6S)`)*Xzgihe;6V@J?4_>IE>jcYLYmB!7mQ z@$RxDvsOEi2KZ`t;IJEDEgGYwXrxMW34>Le+!acb1^sVWP;}5x7Jj`- zB9X|SyN`EXPmHg!K9L7x-NCC~Q|fC?IhT`v04FNtP@wCu4IyE84Ph5LeH(mW-D4oPK5Fe-Hf=?2f0ZO-v-P3;4)Z2Yq@Le79q1` z&&Oo&8ONNG=;Si5X5Yjoj*lDrSF|9?^d-e6>!MF{u=K>ke%$xFVZN`mmfXuPdZZY3 z&kx}ICzCyl#F>TroH|Z)*cB0CtgGFT#(R>c<%+Er1s-G3oj|5kA-2iHt+cQtisDW> zLMXN3)6N1`_ge~yi}OlN9$7UBGLoc#BUoZ7(hM|%zBY_doY0OdH-6TgM>sn>H|xAL z_eib0*E@SGcl+qkmvEesYzKX9n4QnqItIbl+VFKY)d)d9CXrp2d#m~#GIAQre}sB7 z5UFq{3*zq2Z5Ycr^%xi%w0wNZ?s_A@4DWC|xBZM)o!RS}L2hXaw^P=llMPR-rII1p z=QMbtqpIYJgY<7|3I5eG6~~vH?Z7pBHCW(b_dE_3ex04Z)BYfoPOS3+sJWYfvH0uv z5{WN>U(e2fMcUQBJed4TBLHWp+g~62`Qtwa4E$fBBq?Q$n0u0sk+d@aMNcJ>ePPtP z7eJJx?_tUdfG#on??3nl{Tn)9f8-EilRZ?t0Q5*+0HPd}5@;*Fzxn9*=tVSd{wb?z zTs>vvn{x0EI(74PsfeW@yjTMI8Z3Enc}=KTU;NH#4%$}C4ba=3w_J<6Elf4n?)s|- z51u_^Eg|9P^Yw_2))V|Hc?xB>Ix15~8SEJcE7{`F(OEHTfHWWMQL7(FGZn3r8{Sm3 zN3i#@*HdF7M|GdAgBM-5GiCkdc`bL_bw0O`Ush>vX*`%mw36Td@OLmNlDqznk^1Ya znuNLycBODrXPbuhkDtFB(7{VaDF%7)ABIg)7jmEttiw( z#X;!B{cHzTzBfm0_MCpqz7Tu0?t$mB?A5J_!o0Jdc%Ph>TwN`y{wa%(T09{QLeaD8 zd-b?yi2TW9WZK_NX2g|#dY>_@KFe@93JsDbqC#hU>RQefWhnmz=-yp-it>5QxwR>p zpZdM6Jf3>S#oD(vuVf`x3IjDS&k&(E%~?i?B?jB&r#u5A zm|;Z^1~gy&G_{|PaK1&iPF_G$VMm~#$t6jbo)$u05t3}+jg=Ey4c1?67k7yA z0H^#_1Jn&xwqa+eUMmLjRkNRj9P*fo(32Ftfwew#psf4BcSrWml~_Kbo-zEuX*?~j z^Uf2DW_;b&dOb*;872U zXlGn_C>JUK)#Dziuklo@FKFGHmtfRdrfQ~?L&d||fj?KL218OD2+fL6V3qTI-))tB z=Fx*Nsh+iM`;E?1`2b4;D^waSFcuy_l{$BQbpLLK)AQ!ZV9#xMOK$PzOYQitM_(H) zf_ApC7l6v=l?DPIJK1e@-!H8YrHe#lVtAx=1Z`mi(lpDme{~ldz#At_gE~>Y^o6_4 z7DB)EQki?lo)jik=Vib&BZ;V-s=D)K#M|eXWwq3j7=G5qhu}b;5G0EGt~@tkD+AuR z7&icl8zGw6r&fA#Y5ZdP6w5B}v7ONuV>C08L(0Xg4F91U&AcctRd4D2_1?DD4548o zu1aQw^d{pcrJ{rOS64Fa7?vvfn)KVcjJFZHg7yT=SP94nPH7qv8}GiPB!1ca%Au2d zY3;7uS*Fj(FNw@T0p|NMqTtkTOPA}5#;-u)cV&Q>I!bm#>3!|^d}bhM;k0WnjEj)P zfAc->$@2veJ^lCsP`Kc-dvxFkf=r_Cdzc6FF$RbxF@S_FGis9Q|!=G9cr+rqVRGzZaI;7M+ET_{eKIle_@>e%bg{AM3I zwx1jp8&vm>MxU%-006KH{mJl?B?L`9=F_I*b8ii^_`a+&EZh>M;vYVfFfx|sWrd|A zM)v<|v;9wOntvf#DN1ZAyPfN7KT*olDK*Id!xsS`8?y=}VJur`J-X{7rsLXS+G7<0 zvqU&^UFUA}7>&YgKZsHPw?f)dUDw{gd6PJ?+_hqo!hGNh(~INEnc~veP+b?W2)8YP zVua-b6PghUpvnICD@FfdXV7u`9KHbNA;|eegp_bV;8ZA@G=MQ(ELVv6A#80iZ#8q( zU@UR^nScESP;UKLYy~gUCe+%VPB8s2d^dBc2>X}H}%3U`GLr54aP`>Md#B*|>{5%0#8aV()Jhi6ah$2~?HD0E$u1+P;6aTm-+7Jk~-Cl&BZL zcYJSXBs6In0UBs)h1-k3=cbDDqGE!-RSWS_5gxjrl4A{2_lGtj%W;qiIpOs;+Inpm>RP?_MDt)bdKBaTcMB2Di zg)c<+i7to65W13kJrW9LF)stzn@R8R_4E<9)Mk?kp5REa)8zmMm}mShb9GGK!_C*D z_y^A!;$flhHtq}HHsu;~s+C0B>8ZsX$>w8x394r#A~-{G)T`HJeTQl{_r&g&TAo<0 zKDBAk-N|53f65rV#XJ}o%MUv}% zYjb%)VcyP?Fyr)K!?_a0O5<5m2=HdyHlPjGxyCk>CKpN!OYz^UVE5k6_whyr*&g+1 zJF94qq{$vjjG@u@%d?1Tz|@wmI6aG;`OfcDJV!-Bd`JBsXT-5LH?C4PK||ejA*%=~ z%SGL9{ESwPJJ0q&KnsYBTemFySEDcVN`}1)%Q=!3GIu zJ3on^Cbm?#hpryVR$Z*ih()B1ighD6g|op-go1m;hSFo1d#E-{?eRm*Bm2MzHuVE+ zOSJL*+X49#yUA8_Ro!g;yF-N!3UE?j!R)#+e(bFTra=n`P5$pUgzzNo7)K|<~O)Wi}Cjfhq_}OHTKNk?b$jue*{&a z835d~d`H+`0952JfX$MnpBTBco&5+?&8H4&9%)HeMYF--33s6r2kKm}>j{=D30y~j z#qz%}BhhqW`s?VeIBDM`RDkAK^8&xALPK@(jLSyTXAl$5Eb`=9Za$bNy@?c0-yZqe zlgL9tLz;mA!@;0Wn7GI@i9@R$Pahrxdb=7)fvfAP`+RI{Uw`0+bQYsZcJ0G zMb`O?(yS%NA#UsNq?xi;qwG|+y@gr|^kUdMt+6ze2|!ps-dHxZO#NvLN&hy#eo{v& zjEY3gqXEW@cIMKX)2p6(=B01OqE)&%tlKYuQXbr`OwU?|chpVwDZBKVBg`^5KerhK z4I3%wSZ)*`Y7spQR;<>bv19BGT2&otS_%hO$U3FiUFTdtket38HmW9AV! zqR_sSW6Cx*m}{6dqmjO7&`N zU9#Lv;otgXi)(&Br=63hv$CXJ>*fd#+Rj2XFkUybCB-=z#P$q+Rpe0gbFnr=U>Ol; zVQMkr$84bMlHXghKhRM|~r#Yh#Q z(Lj+Y$OG{zOVQdi}wm`WKv8H8ZIq!M9TNYN+|bvqY?1%+ML%9%K+qtizbO!?|7FMt;*uiSS)@ZJ3*1d^XTn@cb|%sfX6 zdxijtm!F)W@*tGMz4{NQZ9nD(Fs$&`ct^nmY1UnfyJ$`BQlS~;3Zk~rf?EVG70VAwHNblL{|{eg7M>U@5k zfS9W>i+y{}!cwEnGNK=9_5tGSuv7z2N(8ZR-40TPl2uc~awlXV3 zg=KZdq2hACJQkUAVuh&-@(7@&lyv*PZ+0g>hTxOb$VP<_ApN9G&ovDU zCp08X*((Ffl(>V#B{9TMU}I`QQ7(qB1bdVWDYHXq0RQF%`tyIt;(r}I9nqCsh2WesW91+sGpMeOrFH?7UzH*WDrd}%)FK2*0sUvh zU1K`|NKk#k2lVBw?e$fN;1(FNE^-P!mTNWG%%OBU54dUGo)InRM0L?zQ&ZD7d`cjp zio-(P9d?D+hk_)DLoy~t4ynjqe08xJa>0yi?51SPs9T*dS-XWx?(olx^J?`nCBF2U zIzcUi#*>L|77M6slYXY_E~HoESxRy(2QPqXj$tGvg?+#JXKugdT-~H^an3+kBM2`s41acpV#HFz zEdA-7vbnC%%;)i`NIHiFEtKDfCBN=fbuI?hr`eY z>>icYA_7~BOp|c*;12G`uUUu|#WxKhCRWn}K*3E7)=_GU_vMQ71v2gHUDLYNRe? zp+^*FMN^x!OqBixtUXxG>t|_OcldzBP&%r{5GIob^PXyYRwgtuhs<3XXl+`eId*eL z=)ytj%EHB6ton!dlG%jttDc6CIc-sx(-^9?8$`k?D(n#0CoZuspJH*e;qlQvCTo~w z4-O#syPV7ja3~KBmpzgHN1_2D-}E;MM5C=vT}#<9?{iG>5Mt*1fPbA!rZp0UK3 z(C`XH+$2R=2$O$H_cpJuGiz8gCI^p?uRH*AO}NL78vDG!SWw@^#OxffS8CnfaNg!B z4*aAbeX?k544qn(30bmHDl)gh^b?GSNCqY*1u|u`8yZ88(b>_OStSu*oq@zZ)~Cb& zQPhC@--3UC&%SAE0Kvyb4?sw0kRjsOCiLYMP!aZ0N!CM|D}un)6jTyKorXEa>wF@N zmK|DgeQ3wZej#EBw1@}D>xlq;g8dkNpS#bBr|hn*d1K=c(89l+-qV z)MrR;g({8$^&JffvDVFnzGfjqzL$e&wxxHFaZH*x&<%IdFBaa>X$(!+0($nh1So81 zz0P+DJ53HuM?tF54)Ym-XGMGeqt)qOTM;;m@Oj1WkaqttS2mVw)XG`;b9qI&sx*>}#jm)> zKlWFfYlDKc`E~l*6QB<5;TVE|L{4iXCKrg$;N`tpx_kRU*CVNA{^sGL(%#J>W(LJ1 zRAMsEor+~&Sp<y=Qr|_;F^jHMXoG`Gnye z-0IF#7ZcYzYWpz)zgK)sWhB4rD(6A|)A3z&^Sy+g5jtt{edd$+ z-6%}>ADB=D@oT(k{z;{Aq|~!zX1GFSVygf^x!g9-4a3HZNZwQuowus|5;G)N4)-p|{1KT8HDZh>MO^r^N!T|=b z{)`QA%U)e=yE2Day995PeT;NdSJVnC0%Y7l`SJUwto&nNLcbqtKho*4kJFc7G1k_+ zvNHVkvc@Ew6Y%`)@hDNd*0i-m%Bw47Fw;kuA1o31CHlska)-G%3pe zRxD=U$+YW+E=zFYbEIYv`Hh16Nd1rXA(zP3C>>sE-5DREPMix3j^TI-=O>*M$7$w8 z$8;}%ueA#&j9Cr!wOVAV_RtJk;vI+)k8p?68ObH>|8vnzdj?Dl>)~$?%%j=lgOAk5 zsxk5cinBfuK5)&ITdU8%V;wdEIb5%#DsR#%DS7N|M2)oFlh~;JURVE7!6=Q}7s?HK z(3ktI*|~?7WiOy(vk)xQmK_EWvQFkXR8*$QnK)#MOe$B;zkYbD6YW7Mwd}$7Wu2!? z=#LZ^2CsHhX+o#pcB0nTdWk2-UiNbW1%kj6JT23uSIFGRf@P*jC@^lUfgzM?P_|q( zv#s{xXk2^opXmZis%WCuQhmmhvFX~5(DA3rJm$i+{(f1Ma$ycz5X1NelyS481Rdm1 zS5Bq8<{Not>5FlmlTrPD)-UVMq`sDUQrO9!(^T z5vH+Ii6h+Ss})>8?=m!4T3^43KuBsZQy32i`}e=sG5DYB!Q`@cc#|{F#kUU*N~M9%%Gv2SPG1vY<^Z4Iy2j4I3xyZH0;$|~O%ck*~)6E!lQ`vAZ;u}aK% z1>f2qQ0r}rGu4A%o_QUi-uFwhtUoc9f)kTQp0i;@0uVTzVNK)ib4&mmxwv8!Q%Vu( z9iG(^tgM>xIi}Hc+es($f8Oy#?Q?tix@ws0H+~)uON+RrVH(E}mT+vKGqJ%?)`RCP zRQAeyD_~`P2I9&hwNwh_Vq_K@P1MeMkYEAATz&iR7n$Erk}MS8U$iDO`F7;4FyyP6 zi=?3$`V*fsGl|>@ojC|siQ;}4vrlgtUCVf%J!bM3-q{wwZc$Lrm)ZJSu0Sv%WW^W2 zk0VG}<%s0(=@#3?)E3Csdm&+~PJy4^2sN9Gf_5!0VO8*y;Jz4@JQrG% z8c5cL+ISvnGJM#wgxl{q`%lz2dIWol1Nmzic}iytS->hD%)n>PK`4_>enXPe5-whT z$O_F8iVUDkdKM^;&O#)fB~~09x}*S@r2Mm<(|g2nbT~c>N^33m62`JI$M^96KoE-x zC$YVwE|b5WCh}ks_1V_0{a7t{X6O)=1vw}3M?>&_hF7zbn7AcO!Jn}#5icSs$zCb` zt>K<)+yKz8o0=kJ0$(?5!|Q?1%VSC^;rczxSHhU^*O@ffUVps(FcI0BMsOa`{+I^k z*D~kzC?l)6cY?kLa(9Ek_9t=mVS22)e5oFG>}$2+_{!uf1Re}iiD&^16OrPQz1Dv$ zwXS~t6rB9TI0+!UxEo5I9&1$y>!eY2>(j~miA!wHX>lFvC*F0-YF_c`qKnUz8w^83 zJ}Q0)qY+Jgp6Z!@IOnJhJ-^*&L{RSRZ1+t98Ln4V>X$bRz*OB|3jR81Gq3CYe~PQsGP}lS3`3(JPh7k)WCRzL1)tN9LCg z7f3#11&=ZE4aLanlvM}v>B%_rd2|X`o%|uGOEyxPov9z1k}@lYi9){p)a)^0@GJJS zUy%PE3AN=$bg2K_e zI$Vlr*@=dlr(b1UI}bGgZc+SRR}|eFI36~4kXgcW{-4Z<^sDx(W%a4G zxjAOvO534D%HFo_UP3W+LyH<@MBKon{quw!d2xCjjp`JT=-4Lmd;XX=P|*}0vMLAp zz8d}{#D*{ZW3A`_2Zt0&v5#Df@UQ%^CsxjhVXYU|ms~_+9M^76!Kz#iVJtHV3c6?> z@E6ex|KNJmc=<%H@;kv<##t*bi2!f#1s)aq^0uREfpn2l9nl#GSvh%rWgDZcGH}tO za6KyQ7S(TAY+`~PyUnR9)OTyvy3flq4I|7(u!I(kzYH;r_#6_w0BAb~4r4Ot%d>-z z5j8g-KZj`t%w}V(dKXh`rKnoskOuA;qHctHg1|hx8SFA=)>w8QcNMPPbAmyK&tDJZ zx8?=E?2I{tt|nW+;T@fj|jMY$7IR)L6-9HNOP5ahW`0nY?w4dxi3@D-k zR~*{KeT;5zkkj=?EwQ8SVN&|WzNPE!8^Q{#;Ums#-#7iv^#wML-?ehilUR?}*1dbU1N~;^KF_s5Lg!w}FM#&MwMW-zH?m3Rn}+J9EHTFG>VyXE?D4X?Pz6ojOg{;{7!$DYZj5{dTu zkZsA<1$-PeGsBYfYRo}Wh!-`4b1yb9H??~}|HV)#=Nmp_Av8cO6?>Rv3K@vH>hPLM4Ly8VCRj^Hnha* z(I}U~lvzV#!-H)Kld^iVH|lT=1+lltgyGsm+pcexmbA)ptMahE4<>~)=-1|7|)X*b3t^j z!p7vQ3|kJoUU9ytnlQoyc(D$0Lagg|4lzv@68hi8L#8QS0EwAblP`cv3WY2Yk$o|Q zJb)Y|m`rT%JJ0c~#_|5|>M(4EFMybohv!zvHg?HVIP21)2keOjPV34_hOVw~4cs33 z@1J}iIcGEQolkFn{=#8qRerA!N;YTKkZ4U+%Q<#N<^*HA(&#^irqGofLG(_qewI4% z=X(c`8%D5~SMoKt!HFmOWtsGr$sD7L5dQvjUv;N#r3|5y9HuxE;nucpgKpbs|8A0Bi@RXKO+57UbeZ)?D-tJat+fxp^$C4{Xd))i=-1kC0t%J8x<_H<* z>;q&PG*W|~Ok*0adYw2^R+gh&yiB|uu63*>Io^i2NZHy+LmsNJ$rCOxJDG0#in zr$k&Z%8q{IP>ygp#@of?>`x>{WpQV(&0m4DhwnehS@Q4 z2#<$>39Z`*Int2RBvDHGrDT<%7qo5A!qt=S5hp5~D8=4HgVy$v6?=FA~$rBJa>E^827A~R=LL0v6K+;+`Ry1J+oIy`RLt2S5? zD-R#jvv#=v`KNFa_39k<4!CR_4;f5(e$s9}iuy)nxVy+|RL4GjbT=tkF z+1l*CTho*}$eUX;P~EdPQ2rST*dvY2&8{=V^_d z(jG2@7SUt39R1S$bG_X*nhYenfByY+VL3uKZ~A(sVr^9lqvJh?7XJ1@EG`LyI4-sk zvi~Czi~nMJv6Ti+2Ho`P`3}Cv2bKt?d8HWrw+xOO0BC0(JO+3Gdkf6rwp+YLoMlRR z3uVyG=#LzNgFz!c-35X>>SVdTDaHlp-r8*dDyoEjT_r~ZU1u#p$-6fSf@yYmcIFv( zJBob>T}>wEk3a9+0oPc+&>$xdU?!|u-L9Q*do=8MV!pj$@H_rEw$8I1P8j*KLTK`s z$)!v|I#^Fe5$AlcsO8nMKI;Y(7Af$JJyZvAn)5)heO`&)t>=YGTT=jfkrfM`&jL`I zU^LEnM-wF@V=Gbui?ShE;N6p(fO3h9F9`0cEQc@p*Enm? z!77-RPQVret3(GzD>2q_>N^`r=XJO=@F=(O5TQSZEXCp)8m)^Li1Aew zo~E6pv!mZikBP{}MdRjr@nd*HL#&7T8A{6$qkoz+9*0@0K3FU91t2>cRC_!(y|3>Z zLzPFlAO%|p0CnHk!Wb5BBh9tUp3IFwd3!Txy#91pk~=@8En(w|iBF$pLMRb{YvSe< zE5>K}3nV1G6Z>HU?TRvQv>x^_YPNc!)*K5eH))Xk7CCD%f%uAu)szYGq*kSV z)9(KHhp)pd1h@=_9GZZDdjIPMTO6!WT{BZ=!$iq4?u-`KB&kk8!gTx%T<`+WuF&Ax z;`v1&jqlQ1qpz<=RG&DRCTUOu^GNE#C<>!}qfs+`T*hb~eRt#NVc%D*6;;%+hu}1! z>O%(EEX*OhdIeAWC5&!GaI7AtfweD&nVkL+HmG9d23QDqT8xFCLW5kVkmy(CDmx7$kNrZq(2E#9a+|#+TkCsB`81ue|cfOYy__J9kj50kS zP+>Zk-1P2D#q4`2LK}2)g!~(RXfLEOLC)AErG{x2B61m-eQ+pHLBLd$C?FP3LMd(C zU&Y-_HBk2qE}|3p(|nmdjJ-Y%j1h5`VU%58&V1GszBZV0@2DLc%869eg*0sJYC0B_gXijjux61ZYpb+P?cAoP(|Y13La6-kS0+hONwO z{%&8jRMRQr?0QP5U??lc6UQ3GXo6WHFM-^fBarPoLGoKNg6RtY2~g){VqK_n_tw6& z>KFyP1$`p4N~`@e$|4hjG`s*#@r1gfZY63J?qT*JZYfIUhA_UWy4@qiBJ~s0Z#fR| z3a2@c>vAxk{qB9AVW@8v;S;b^A*kJT2m~ZMA}%Z)WRW=9Wzm`;%v&>%jkDEW-zt?`V_&7*E9h8;IU6uO8k zK$i1X)0nkrjqmSHB+00;aP6 zB;v1=>;E4kQOpL*XkU{YJyNV@O2-B8^z-J%miR+0fWE9h9pAZ|1ZL=bkvl-0BYJfy zcqP$eaL#bheg%H_>}TT{*m_r2;|Fr=7H$_@4Cx} zFZ<{o_$*Qh*<7v)p5rC{u|WZqzj1Xx8CPubGH>bpv}B9_0H4+XHz{$v-}FC;wf~Ee zEl3_T0g-3l!GUV<+CYjB=ldWO={JabtWb|7_{b%D?E52cS%qV?<=jIl43fX;h9ASO zhkIazTAX}9&Hlq{9rhBWk?@-g|&Branyt+P!e@_<7NurCOZC4)|z>Ow%kn6HYA zOCw6P(FnHvF`>sa`RSP}w@8bc;976d>l4)k^OlCLZ!p?+#KuOI1-28y{f_-SxW#22 z9J!0J5WKEAvw?1~-RPX0uAQ5}ov7MTNc&(fH`r)tWp&x&En6p7Duev9?2^XKURlf% zp`W<$4R*Ry>Dn+MTdxOpS>0s9MxvSK4BR5Rqf+zZXk-35xuW3^DruA3#YnMc-4`8Ma^dJPj`e&CpRW6+972NP4 zP4SHxJ5p0;AWUGC=esBGu7<0dbXEB_m)9k& z^PwrLqRauVibT}s)F|L3 z_vSaInnJ7){A&Up+`-+uk*ZQu&Z8(w0v_1R>lXB>79^U+QX@+Ysi%g*+?!n~$%r|W z@?|W8Z{l1gJVZXNvv`oJiTG&1TpJkHO~#f$T71#svA4TFe~tkL5l%;4oE19>V`fj3 zHK#!Gl*v*yAy^_v%k&A$>oKuB6chmC@A!G6Z5cR6AlF`oXu7`S#-ve)8d#?Z`$i#7 z>!KuuhKwC1N({E|aH>N~P(-LBN8>-}W+5QLw%bkLzNuH@D;KmHTvw`z7Pfi30l_Of z#o)z7jav7kNqiY&7ZikTc&+NEaO=}6KSk5r3YlDSf^+3z&Az5_N<+YZB zR}>j+eO5Y*8j8)cWKv8=-<2r@-#4l!XfsQxEyWG;2Y2*KAJ7#4$gcmwS9B1!XcgD@ z4vP3a?)R_XX*!WV&P4p&3P9zBrVBfC3xEby%x#iKf3wvw#QD{83>!r1OeE6hQC_bZ z>#mRY){!^CD9x1kHG@T!cvV(cAre9sHjND!IDQks}rFZ9rHvSWTGeioR5B_~xIdYa6X$#Q z%2BctsyD%gAZ1^69Rf>R#|jVcc{ZQbD{5DM?A)6HGGoCXw;h`p2>L$!Y3baLhS1(= zVmsxC1`?ghDmAg1FN3XDNX9po(TTl9c;2UE(2WLZrOvsy+YH_qz;l++E z9?L7$4$Av)xiAlp{i1j}Miv#tDhr?vC^*v8bpbjq3RNX3Mvdlp1P7 zsbXYh4_irPzo^p2{RBG@iPN=eCmane4mvO>t|G)^Coci4o;s z;~MO@AHaEkQ)u_;9aWxp?&_+3LAqt{P&a%}6I5VUr?D!1aYjMoiRcBq3`rOxa0X}T zS5g?J{M@js(x)8O09juzSMe#fh$h@ojoP!kwqNQMI7x+tt@U1EqK9uT0{o<-G6Mr2 zH4)}=YEE@Id4DyWLS_)VvI1rQ3Hy%qXY)Zavz2I8g;Ox0SwYolR!x{l_^KVgTx&GR zipl8ecc=NCK7oCqFXQ)5?<=Aq_u3xbcs6`Cnqy)g+)U5HxT7<9IvGM$0h7WkIUvlH z+SVOYD+0oS1w*vN@iB3yj$*GC z4^5oKl>IF)t(-NxyaT7gTAjI{F%gwjh6HeZJ{#P4+!T?s9R1<7d#3O-w&kD%a*y)w zVk{liCPp@u`~he~s8EBwW_o+t@vF40fpU${<24{EWIK*B*-&8*5mi1v6e!}xfq{Ys zKSuHylcrjHk8m**`J_e9j1b8@wJ$dqccT2SzS0Pb4%3WX6 ztmB@(^_JBJk%As%2r%xB_BjuoEBBQ@-JZ(;HqKEs*S})`ktBgEw@-$l@l_g6jKX33 zXXZs@vPsnccd(29>bC##alk?=J4+9cH5LnhTrizk>X1H52RDzcr30Jbp0Y~9Z*eqw zh`f4BcZa)&_I@?ef2M)B&ce8!wJK6-E8_aI8De|>E({E{f0|iNW)F_y65fOYE21*v zAna$1(FQu#jW5%J>AmV<-5ILa7wn0#)nbJ5X0^-mV?n4V@mq(=Cnw4*>?i_eI zT5wTSOyHq@*rjF>g7S~NVJnPhcS~N!EtK^0c^6%m59ocpliG%gnJzFGn8DE}t!a+B z`P@m0!Gc=WV8w}uB8*VAm2cI%6F+ZY8bd7!ZipLMHfAVwO`ss~Cvm@dJczq>p{xyE zlnGFxNJm5r_|%=L&vHM7mjf!)(aVj(tVH)dBWM5UJ|=01%Cedrs8!kcjXcuqf^g$~ z&tXe|2p&uTROg<(Wum9_($8^gn!27LwTQa*xR`K9R!8rH*jtAb%)Lm|%>w)FhA1SLDM;N8QKCQH9iZA(?1P%7RrOtOq39v)oKUHWl)s$ZxXqqX-bJ^rWUx}UHlkqa^slPsJd5nl<7nk29-=pKb|5O9dkAp3 zU>Vo{xi20lcIzUe1(sA9yTE%7V&+~%b!dz^zZ7s#J^A$hb=tiB9VXingH2Bk99g8` zHB0~DQX9Xe#%o`Y8{-VrCV=lflz6n^sr<$HMcNym+N5UoBsYltGL`Fwh~J#t@J6Zn z72lT%S*5JHDz59<82?>($EqLw(2Jr24jCG@!kq{}V=bM&3lf;zqO_7@Xy?7BS`4SYiB1ahsR^8IET|0WV*f|gU_RYz6 zlu%Iq<3yf@PZsL0rBXGjKCI3|X|OU$#{_&^$>8qed+-dEbn(Jlz@{`jp^iu2GzBfm z07L+hP(1wV4wJ8sc8h@fKy=-ANpC2nVEvo=5c^y!5T;jiK^QyWw|3rmZ5X-!y-kQg z>WZAl<7W*#S+CIx7gODjVcVNy6=-!VcN#$b@;sZ_a%Np(uL(z~+}0%sSomJO?!a4* zxf;jD*xR;{%TEn&S{`PW1sV7H_jwVz9jW#Q&5}2MXeN~+w8-j@ZgD*x7$>U_kEFr- zbeQ7)!H!j>-3LpA%r1_gy2X(tW=46@8fU)YT)T@BRF#{pKwHmjC<(?rx_yQ(UU2vQ z|c?NdGQ@B})K_ACOsW4akjI69q!7mQ31{eEE;`m_?Vp?F0}3tMO(xF+TGV6b5+ z_TVl!7I0IL+9Dvt#Hca0zW?Zi1q%CY33UEo?ZMhBk1A;J0?=5uTojCEFB~!XRSNxC zJ@lveHrh#AdjBcbk^sJpbu!R8&wbq^g#+Di^L-j-BN*WaoB&*5$tE&(eWcd*Pc4+s z;!zOu8V~pmhT;dEQ>i9$dktRHx7Pem^-GP=J+^(zeyAR$^leDjuLK88wMF=$5pzxT zvfz!;m|i{fXW2Zcj_2x)7I~+YL~zS7^nO#t(8GQ6%29#Iv#`G?mrdcpOaA=kZpy^5 z5FTN9sipzOR+5{WA}}--tQNd@KDLsRRyXIG5E9AEx9)Izd7=v97rHj}|1_+$JroNc zJR?4ag&xcosUYBf@1*@UQCU}SQMZ@1@A}sQN@^fI3i^!U!*l#4PM*v=bS*ud5TKd= zV|`3QOjRu*Aq#*@X?m{oM+wxlZ3P($#1K(uBq$MIKu&wpO%d*TqDpx>CHE1oW_iab zK(c1%ieac@OCa>}L_KFJbpI_UaIw!^U3qS9RXMzzt-)dN(NZ9|VWx)iQc+vNiEg;A zgFBKcIz0SR@xQV6mQisv>$+$o!QDH!JHg!(+zBoT?v1-k&_Ltv76=;LEg?8GE{y~y z3GPl#fBW2Z?#g%f`PSZR-+jh7W2_%N#+=<aCh@J( zvkidPi__)GGhY;dxADT@2zp7In5T2Qz6Nj(qx5!Px|@~z0wQBrgI>^KB~-xy>q$Y`lu2Ru;i34D~PfdvtPG|zTWvtwz)>n ze+EC^NMUrkKOkZ)I#u>v!gO|gBTooxi8#u$!_j2PYIsGKYx4E(RBmi7;dDv0H%CIF zVQ503XJTR=+>!8P=Py8Y(2zr#ikE5>-i%PMr--R%uPn5G-5HMD)_UGy{XE!~-lq7R zLq8mGg5rIrr1a9!G87W}G&70-sW$=m+6!RQ11OXBek z6Xi`hseMOmfoF+ z6~~eAAzIqt=DQElv`~`n zsovpUIApR%+YWcUp4X~EX?`AAL|EX$ggv+rAYn3gRAE4#g{)Y)3WPrPMTd9yBL+I@L^3}{;i8#!l-PId z{fFqDCJ^H3=K%{Jq}Tpf1*aWAT41lJM`^>H!|@7xXKeofJ!z4}N?9Rk@X(!(o42om z2Ypx8Pa+qpghZ!vYpc(N@5x^H`(E=o4l3LeG}rDOpRqq{<~R355otf2DMjlmKd-jk zw58!mm^vChTegLA_wsYfAHgvcv945A5?Td*Lx?_?I{*!;%P3ml`U4ZWero%m6cb=;2Ky^n}~X5mkg zqdm(y<(B74983O9T5+q32bkB=dxGLOr64a=qo5MJQrv4chY>m^pz*T3<*;n*Rv-##Lx*Eu))E@8F1i{`;m4?RyvH1ntcC9!G{{cD$HM0`03^ zC9w1>&uwUYL|fvvu!w8sX_3o+6Nsntx4^)L$(KpMJ9Tma-7w6^lLYqxDC_o z%g=e;7*3HP_n)!Hmb)Fy5y}Ym4=H|BJJLjtC9OcnLgi-}6M9)1TnA~;_f17rr> zl2=jb95P`dxlQ~8gH?llFUel-&Q%qp7Wt43(VdOZsSbLsF7_fzyx=o-_rZT#oTCtB#E%~GR_|v#yF+J}4EMe2 ziCr3oQGw5BtsGnL3#^3>V@zfbvGT6hY>9s4j%kD#k>Th9k;Uq?-^wz+dhXqN+j1L6 z%b>j+c!sv^U$Pf_QE_fFy?kSJtk%LzS5It-63X{1TM$7I5MTrJXzF-|z^zC!ymK4) zD*M{plm8H+>Z?V(M%CEd*pbBGLm$fM@s|0j?F|+dr?WGbuvZcL^S6hH-K`z^jChft zM35#tHvnlXzEjoJ4)J7q@Yw;%)kr!j3tQ-{Pi2qTTdy%BUlY&W1R5o=KqQQoq^KqS z&_j$wczMQDm$O(bELD4HV_7J=UX6tp?q~=JZk-jK1)#ujLd2}$*kAlbo=4Jl6eDgl z?rX#YWD=pRBy82iN?m^Z6)78;Y4i>&EP5_W{pM65BQOeMmw+kjqN_a-_b{T%$iz&| z_s_C}vFphpXX__!v6`b5OMP_T&jk6uztO=J(gHZ{1P{1O@MML4k-Nw2ck|hm#T6D9 zjvG7f%7bpj{i7#Qdyw&{?MLXiy;wgU zu=t&2471RdsEJ!2Igb{b|4Y;v_9LgAWxCV7i;g6q48;zHjWETaPBp&GY?>~YzJbh^H zZ{nK4a03VCg0x+)?&e~xOzDzj&44B+!l$`yKuXSG1X|uh2~}f>LpZYfQ7UJY`vRI8 zv8UsGedZ0bYH9(Oof)gkmM;Rw2s;zU8K<$Qvgw!(AgOXgBN^UkYIIZ@H7+0;4$qJY z%6gcFRF&R}Vj^7)ohP*7R2a|Mu$2r46}g)kD-GP9q(IH=A83Mv78fFX{UfVLRP@_Y ztph`Igz?A}1Y}1`RqHB1mV+na!5d+$;-uyot>Y=~xLQRE>f!ply@j4UBRDQ45Or~L zNT2&$pa0c#I8N(YWnUj{o;;+?*XHCw!;aYvrD>6fkD2dNV!BE1;u5L%p!syx8acKl zVO_f*c-}ssPxv-tuhzl6tbq0nFwL9D0*f$0(w!*?N0O%Q&|kySvl*Q%ZP%|1dQ!FC z_?8t1#YKb9bx5cu$EB9osZ~wK(SgIh?MSN;IuBC-1~m* zk(rCViT=Iu%m*sE!(sJ~B9GP94f&yM`~f+Ni(STiYCwA_bqr*$d;Cr#vTSspF9 zNDF&Uu>Isg+UDBoJbAYsBFa?h!_LUC%QRe2^hE99@r z3hZncTFTl-{IA}!@Fz*0)~9OkC&;?ZfIH(2C=F+}YzcQwcPe?fqOTr`+296H5z5Kt zYWc-JG;grvoR6&SD*n>--a zARER{)gH6?4HEAYpTtATEFmeYc3BlC(XXLod6hk2aZdiwIz4aPr*$bxzPQB(KoG1} zGIg#WNveoaXX%&I*-G-c+&Zb+ncNK}H3j*8;0X~9WBPLi@YBkmsyV|hokw;PG#Tf38G0*XI3 z^dtWTKp~&8=Zw6CQry^4=~X2YwcP7-+`KL%wI;5ImzIR*2BU2#vdMwlv~XS&2t;JQ zAv!e|8*VP-pN$|++{`K`hdZjMh@76J4)FDBHZn1J8 z*&0KAC}L)sbP^8=SmRZQZ+)5x*M!);RoTp?TTqZFvpr336gU~L)dcn~v3GGdBO8Wc ziP<$i-WHefbthF^&%se0C=ZoKMixAb@y~J?c3t3aaivQl=`U8tW=0>?426T$`(X~&^rHdS9)3d-F>x(3J9Xuo0n`Ecpl{|lujwT(h2Xi7jj`@DHKMvKTFzV*B z{90fLT<@F}UX70kRBU#8o+PnnzJ8i7qS>H^yl2}Qo&*E>#Y3wztQ}sPa1<9C1p_4V zFB~6Exw0ol9O=q6xmrkiFFw57=rD96PIqy|;~{leX*H)@W!!;mOBSn*KB3qtA=OkC zFqHW;A+3B;MRE&9Qk(f$UUbTrQm4c)tR+X53psxvhs>n8Sr_s_nF+|J0+qI~+U%VJLV5s2s^y2tDJ)b;Z27l6i4OyPxN zS*W1pTk7VHI%UU;Ub7&sc*XbkRy>4bqadzOcK3%HyVExFKd8)|dcJht=@frdU z7v2U3u9}lzCOZ6UE&NFjhQa_W1_g7&%9QZ!^E5u@sBfN+qp6TL{fQ98msD@@4Th1k z37f_WUY&hXiL@&QIeM9#e^<40tLfXz=qE$LW}CuPNm8K8Gxqjqu#e%-mhVG~4Z7x1O@uTJoMijks_` zCyCLBEZ>y)FCirO^bJbd&0Up>HN`c3hPL`xf%(Hf=^+UUeleE-v+$i9md9=S)X+tJ zK9M8k?3Z7aUbp_VpO@-#ahV2P1D2(|M0`(`*c@S2Mk@#il+-8~!N19xhRzzPAP#k` z3Fz2-p?)3K7nJ>kkd>x}qyGiygIGZ@LWaW~DqeCvxo!Tqp#j!nJG8(YLL*?gw z7}=w9EkmGf;Sc#h+1)6$AC-xu1frLOVEz2-Z+0)%jW16Dfw)mcMnE4xGk%|#7@SqV5p-wk9 zS%U8mSl}B%LPD40-}G*E2`@-NkFIs` zmq+cN;WE8JI!>Pfb4j8dYT^}lmPVrEIwN*MS)fM1EkY_LYb}PyvL8stFtdxqr2P(TL<{2GL$JQUSUwe{mxeTCP?(uSj1}&`FG&eaE;3b{&Cb(1j z5Y!#dpxJeH(>J#?h3@*h4L+2)({D3wJDdh)Op~t)YvnenX(t2kN@|WTGpU zO?AKZK>|7Gvw|HpcT?ANVXP97c94H~=+6H%qMhfIseO9JxcEY@BZj_lVef#ib>cD~ z+Kub1+)mTi(V_w{)mTrvWM6YFMTPM8>3n!|&wTzac7Oyd8soNqQViQ6ab`U4jHk=! zTWu83T=u0jntT7KgDLp*NG}w99zD3Om?baZ1ZWAeL6dO$}!))q7cO?g+ts@ zkObk|+J}zm!(+TTi?wHs?`c3{@&^Gj)F~yWh#)pIs6e7TU0m_*<3a{NBm#>o=WfpX zL5WjuH(xD7+97S{Gl;ENG`}mZb&out;<7u;)*+#Yx8&8)7Msut+WP4vLdXTd;spxc z(z^ZoXu`w5;WXAnO2GjFShy=M{i(Cxpkr2ZVOTpteo^ZLa*2M1$0GBJ_xNbgrTW9J9LjB@at?>(3QDZc^!KP$!Yn zcvI&Tc?uk2ksv2|tv}`q-+!@d5at^zf{a9P;eC2skCzDAxpSxO62`_xIuBfMW35!- zjmE>R6aD-}!b_yN?x*~2B*+1MEREfl!9u4cC+_ssS-5>`=Cpnv(Ot&d}J7w4;1O z$uC_0Wk#t<2N^RUal-E!K75Kj5r{Avk;be>TV*PFII{zMu&c>0HZrt(&oe|cPnc*D zrPM<@B(Y+IC5-p&4b$}I{MY2_&n?)bhAW8ronc()ErC4oU3md6+7_qUIsB6lHv9pG zmoPy0T#SkTN>7h!_Z*!8u6;*zjU$~6bbBJ9kd&tppf;KV_MQ;d`nFhC;u(rwnLz=i zq_&9tXr(F$8j&-FhVMNFDLc6dc~tfs+V;f+H3U?MxQ`5|BWVjsa607N2XhVB&3I=G zoBBK#N;i+n5TEUj6jE-0OF&W+91yBhE0H{t-&ODu`)ouZx26t&wTsZ$U&x+>f%SdH zHV54~VM;!y^>t3HBUOTTA9?vSj2p6Ikfgsqzp#Mw#fhNGB7TgK2_7R6GM+q=-;t=+ zHgD3@?ri|fHD_W-1uPM5g-@skQMs%|PQRL2RuWt7|F9ayWJ)rMwH=P!BPn@Rv?m+- z^T)332bqMzEIL|?4pm(t;6oI|mly5|TH?iNWQ4*fZ^D88iBf#}B?yqb+)7B^+=SWN zBK~UlD%>lco&=`=&$UXBe_rIWMhK6!S5kTy`jqEf6zspS8YsJ$y|?U3a$ECYpsES$Hc4Jqq1r@OZ{W zD;HPt&=sgIIH*Y2ejC(>95j}#K2I}KVqx#I!;G#vK-I&-+$WlNrv<8&PE#=@g~ zAFTbMRIs*VSpnOj@SQLuavW}hxm@U2IT5T! z&`lneCgAo+D&tG~p&m_HDW=$VN)6e{plb z_vwwvti9J@#1^hEd|y`F2wdRWBDmGYB*}cUCMf9C#1)=(*6Xw3j#FXpXzz7%F^6rXZzL=o1cFDxo^6g16&sH^yDa>uidwXsDxEM##Dnl5$8 z4pqJ8PgFkXWZO>yOVOUu1vc@$w1;bM2IKQ4JCJ;15TL99P?oBw92cY>mcsyT5&tZ% zB&6Ez^`gCw0=|g~{s*IcW>j~$9Bk#pOTnRWJ`ZEFP5at<=&Pw$(*vcwl-$;ogULz4 zAd(>=zBcwo{3Oc=A?{MF3uG4G_`=@JLJVrwSyjf^@Q@{HGt1U+Ke zO@Bc83wn)CDnal+;$KV`1@rtB38b;S00V}G|2t04?vq!2nBN|AP5!dtE;MC&l!dGaX z^Z>5UuoY#o>Qe~OhG-{-CZSMS;MfcFKA-QZg|57{i=eExwjec!>PN0gsD67}>Ms5p zw^B}>x4bCk<=9wv9IS;q3vZ#?v!*fyFotwIGetul*QG;+30Nrk?_gft=Z zua7UWD@j3i(;7ncdNL6@B4ptWv9JX z>f4^ZxVY5EBZsC!tLAJ55D^5Jl1ez=d470ocmpHpSiv~ZVaR`oy~CElw8p;xkKW5c z-`!@RX{EL$wrAhIsq7fOg7bnJ0tLwc3fth+hMjmd$io;hZ~N2RZJDcazo(EarzZ?b zSfi(YJDYLj8{NFDl z$52^eK$3T^+Mq{avtbo+nw!$`4%s$ZYA4b+kKJG*KnKLnjK0zvvV&GqVR3@`9lOOK z64u4zQ6%>7Uv}F{!bZtQr=LBuVM7KRJ&iG*qjo$D7Xm#=5{rf+^dKpx^eSZ84 zus^U2OMjEs;IH6RZf5|_G&Q4@pMoCQ*04k61C23rhof;qrHB$?&uj; z1Z3|v&&S&O{j9JwBaoov@Fu>{)m5i_aM#cIwth zbrm7gvrJ`8ByG49Yef7|xNAgRQyDe6Jy`bBhmr2ep|kx}HYNM=AoK6(^LI)CQG8`f zZy1uabBHZt*H1D=-Nnm*AG796TDh0>Am$~bReAw=sHQf7&fhvMWdY?9FHDnAYn3Xz zvW)Wz#i|xG8sqF4vvJNzm;(FD1Bj%1GL_*v~e5m zvtD(MwL4VqrC~RC47$xhe!GuzOfj1T65JnZQ&+-xT-k}*WTjO@OS zTVm~?TKF)fV0#k?Sp5Z{?B5kt1MS@e_OVxeNLE#fGT5CUiLz=T*BxD7_ir<@2E=++ z4P6-8ulhmirnAs(8Vj#*`6{IomFZl?br9?^wk<3Wj*aIC4DW9BUOf6A`B^5LF@FM~ned^(TsOxcc( z8Nty6^(S)SW|vt^fYYOs^HUExg%d}z%ZvAU3T8(2*)4!i_Li zrk}p^`EgZ_9G7B3JHbY_?+Get`19$1R+ZGua}D(Fk$zg)S{ACAkAbPjEnMD(U$*Vp z7rvG8uqtBA%(Ayy4KemLXb(hkB#WNP(Gy%Yc5PoWh^i4 zsXZt`mw3|y^wyxIVRB&AZeiDN7F6jNd1JJ`CzgI%GhGZuDfFQbOnff8vZDn*NHTmW z2%j+F)|YJX(vl%_o3EzKaj7##XXQ+2pW%2D83tpiHpseu@Rs_U?#bIT>U%k;Xvul= z!8w22vRjVz4ByM&oJU33X%UM*_9SfXX2o~@2SoaRPd57h&+q;@qW%bRmRRm(Z)=Kb zg9FMN^h|1cDLRC@2xo=;pLWDm7kZa2Kq!`IRt8E>I=`?r_KKcH9d&AQPTdt%8{i*DHQM|qQfmo`< z&Rdscm>9@m{KMsJ&xtkcWo_^eU6;QvoLVhIF(0t##}YKsy~X&1yG(hz|1oHN0_MNK z8hlYw3U_kAGwprqQ;eUxcz$9hA^?Xe0(39|GQ0L z!K>fOR@*UMH5`3edi|t*4V3tkQDIs(zdsL+L+jPZf7ixBqGBdVe+WL1{7LX3^`i{M z^#9Y$^`aOSO!z;k=l!2P|1YTZp|QrDhK;S!OtI^T8F*X7?Bsn@>Eu89>fedy-#-Kt zyTABgE3ii2+%a=uU)GF=uG^k_B$cKf>cC>D2fvK+tZmymi}(_@f=l3OD(YN%(66zl zpzO*bdBtgDI|Cu>F=(VK`K;Zn&LZif?4=!y>=2Af%97iIU^M>(7f-16V zu8i@gd523@TSxYiYe7<~YY=cf2X_v)# z*v}d=eGUD_x(am65;!9wu~_P4IP6az5b$IaE1%>;j|=J-Hojc3N%~rhx@3;X(s;xb ztS~rAxi1ZSTgt!1{PE~hdY4;GpdtT%x&!`4?)P8lq^wG&Ail@0i^SdCRb!ff!5!?l z6?Y-1@SVB?JGg`opZHGwT`%2A;0ARaI9GD7+WO~R>iCC3dk_K(TiwvXz_e1>St{z4_Ihv$c0A@IxQW6l_geW5uNvXc7?g_{*+F=pUl#*U^m;v@w^oKACR zX(_7oK{BriU#mv8CcWAt3PI|OqGt@6fVY`1;TFV5r?bxB4aJ1#`;H9eU$Cu=SfwBd za!4Wut0K8faOHK`O#wnthQum`m-SoPXLn}i^sQovcBVoA!GZgD!r%fe?)@0^R?hx) zDelkHf|{rt1aXBeSY5rByQwv#z^uqn-d}(Nze+KVRgd}@W9D3^zqk;*?dq>0wkJ97 zAfdYw+{}RPi}iETSACMVilfv2yk{Rl6<6hRYa2q>{e0RwVv`w^`E@XLmq+=2IM)9i z|3N5hpH1|#4C)=EROe^i(geL4kd2Ft9dtW6=+9{&^Ki&g!t{k`cKO-6eof&)S}EZ~ zMh;dW%il!conJUi{N^qIPtVOV-sCwnglb8)C&By^Ah@qICK|bpfPNw_^O@? z-WEwmc4gz!H%|5mQqj46V`8=XE@IC~l3k)7pwz_XjG3d*w!Q&XES}-rk487|N8XVf za444+(g-l2)5SG%iqsu0)bI@QG0k5=*cjGqt?+$Z`kt2u;u>wIEf4r^`?{_E?5W*v zt#x}7Gbm2iv}hsEVG(VvU_7UbQY8;W4C_M{L@Mq+B~uS*M}dV(6<4RBj!gyKx@UnPOmX^lP!4Nth1 zm{IeB;>0NxUc_}soR%7}+9v2>rSog-|#^geoo-MBKSFOKYkpmeVQ}xP8i%) zL%225)(<9~yf6(7q76Hgx4dJ8e}Pl~Ica4u!Q6`(&((z~)+Ftkatm55S2J)8Pu$QR zb^FblZ39JjxfLNoOs*7QH>KBZ)xvi<%So!say2ZJ@k|@Y*u3d7Ao651>t%2`#nplX?rdt>zeSFgmEyRN?)5qZ|IjMMVZZo*3)K`n6@{kwhB?S zSzxebcv~;3M80Vl392F^?~Y6G*`Fz!j;G@PUh`(KpQr5DY1%y;>NQ$o0f-B(Y--3i z3QL}xPu=Yy$_J5MrzQ7NO0afH1(TolPFLafLG-E^f*nr z!YnAWg$9+qHgo(H>^?P)KO6bF(^$u)-9LhYSS!9&BRu`dXsM{)VqqhyUab1_1Ov{k zvN>W>Mgnn`K&QwnB~84vxUTR zw~|^yojuq0&JlRyt9sKTuo=ukHQ;jKcA`;+-n1PF4G8VSg!pttu%pQ@T1&H5H(HYj zQxzmN26iwTkszdzMjppH*fG32t$8$%sFz9WABWXCIk7fwLh@!0kmd-Jp#A#+wvJHC z5!AV*mW;DPmkEUYx3x_w_LXv89~6SfJJ&QndH|&-01y&$NL^nEX%>Nw{3&KmlBfo% z{#>y}I0uH`C$AzvWf1%J4+)7s{lthX!5UbAn!KNa8i zD)|Q$TbAK^)T~#Dv}aSru1ZP7&y2tYmsE3=nG!P9{V9@+Y=!s||^sH@v_#x5` zuv}En3$kq@IZX1irO7i4668l3BtvLP@=aVI=vki1?AKUa9Wqd$k?wv2Ovqgv#eTU! z!1qVz^*kld%9cn{X|am~t^_{}0tneVY71zx?Q0w7r$l~S)7V-j32sQgYt?jh>i}T5 zB?Y4c^^m@p_4W5y@nH>2<08}Uk`mtvVKW*|GHpdy^VR>a7Dfv z(8|USsPMv4FrCl>OQedR?KTm{AxE=2njxVuq?x}+`ZO@rz_r{Ff!RXx3t*RU6a13? zw!JZp1f)+O!tMVxbUok*%kalf8CI;_Il}kY(I7{z9m5rgk)wNlPMO!C3Yf5HBiw|& z?B`1lbeT5!Jl;TEKjxv!TLsE$BKYw?vKajbJ_NKdZE!7`*4(a*eF)@yFCZ+H;5Xlk)m&&o999 zvQJS9(qQfnq|4=b0$y?HR_a2dOd|x7q2{4tSWf9)Zea!Uw1&~^O`E&yd<8NsNS-~RVlV0kuBp2+k2SRLyg1;@uy4p8{au)Hip(!xH0xtD{j3yTJUWj#F0hq zx9a?<)8O*WXA{m%8}TMF>p>Z029|K^5?rwheuOF4O&8ZC4DUfiZq4XzqeO7rHG(C0 zl8=?2#$aN;1xJOy0RD!s@I{5h?~P9w>e(P~T2vo**2O5W3{)Eo|T$QCDR5& zM>~fZ?K$xohpZ5acNbrE{y{rK67n&jw}A!_*Ti}s*NXa0?G;1J!Agn@K|ZdjLY`s9 zd_mn@4$-Qb$$hXKa1Vi2BK5Zi`KOUV9lvoeWFl`|YN5e2umQ<%_45>CZg~!G{DHBj z)02yr?KYN3b`TjAyef-5U;2;g7WRFzYjn&yhjlDDBgD9420)Sdy;yXX@+1zLk;Ra= zQ-s^7L2cR3B2V{%;!BM$EXwou1K{_nX?zOZmy6jueES0?;2*^ujv@u;xrI>{KVO=! z0=5BZSf=6I^%c2OC5E$3tV^wDz5m@S{kf_yiDqO&r+4V}KX^oOMljMk7=l$-FrF+n z6EAEiPA05!s8du;5FNPTf>(JKU2M`1FmnLGI_0h7OUV zqpapE&aHz8%>h5IgdIH9oSz($6+{qdhX||@$O+)?tcw2J#y<^-V49|roz$GPV^U>h zxX(u>ZXFBY-UKnYf*a4p&(wzRQ{xYY9Y)X|ezrkXb<2l;#H9bV2>}h{DJ~EXPU}^- zxb?)4@a4e`{Zntp`8C9dHNOlU?$~f(psq&T7A=rAZ1L_dAFd|J;B-m0R(+oJIc=kC zf9$u;#Q1VFVuad-PnARlcKRwV0=aC{kho(ijTylWN%FhP^1pO;AE?66h6JTL3wsnZzx;d71Mw1HQjZhH91Gva;D+{+{&%O|D(~7FjR1I*-4Mu z)|OEC-tnvxWtc@!W0232l`!JTuQBcIw~%hyxHbS_l_v+oW3Wm0A3WXMe%UqhdcTN_ zOfQ&oqjetGcn}jmQV_i4qxn8ra;idhUOdQ_WI-s>l2e}p&adtI3pbz%ucX3)&fjFS zCJid!WY`qalp5Zu9bu-OHi^+I(M{$WXZu3ukt}pLlN@9H+tjM@CnI8nN?=02?jW|d zX~n)mb2O4jb1ivjd#KaIMB_!>d1EX)HFEZ9w1Mk**b-=j(OOxNn*~h5Y#l3Re ziVAJ_3PNPvtKGRQf*0s|hi_IC_y^_HlfDSXA6-5C_$xP}{>(7o`KFj9<2k(kSGuG@ zoOG|T^{|1ymX8uXU3EHTQ$?9aLoi~vNE0isyskZ7hnH(fSggC?R_R~aizNLy9sUY> zi0G+u_nQUj9**8#XDM>B%SYzAo4{!iTa#}*bj_QqEu0f8br97auCo8n(ASV(1kD+s9uyamZl z@m_Y@&Khz@=ns^Lf?5j3(x6IPmf|fG1V>m4=SiY1~2h)7IbiJ~*I#($(ENvS2 zPUB^vs~+w$`OupajBKjYDTaBWqtW$wpeTsj#}y^u;FipjH0Ze*yRqHXm6xlG^GL#1 zv{AZ}{B$>vMy%Ifk6oO_a20LT0fz6_1-Fab@Hu_9QkflLq}9M$f_ct6b$K%DZYFu) zG^U>_7Z7opOfcR$;eHf1F?_l86oODH{0pG&UD#|WgX!YFVWv;8j#bs~>`csfMwshT zyrxhVRn*d?6uPS>a;WJPcN)BLwFBmXrOY5_S<6P8`8FQpUW10+&`a)_TYM}o;%Isc zCmU@42Q2;nguEhQ_9o>mk;mJ+a~QHllCM<1oBHolN5Fz1|A|}{e^mIN#nQ*~^?q77 zV$32{+iThzqEa@su);Fh?x{RJ?F zK>($B?+{^tYjt0B#QFTwJ>*BXw>z)3`2W|TI(PL`nQ3W%{ZHcg`NTRX#in*F{*NRX zy%@dSX!_`R`4uGH*9pBBRM$1H2aweoyFSg9&9hzXFXCy19o9w0XoEUZV#D%~&|nFP z@YL`}vdg-BcpJPn9;E_MFubU-Fy3Vc>E*#`ZPo4YmM0r-AVIA%EP3QO>-&~ z91)7@kVX@-tuE~w4jnGw95g_+)&2HhPF#5eCC?8HR)c_U7{|xmRqm zhE>e2j%5?{mzxgKopu`I7?yJNaQG2TbNt)xo_qQQ87^|Ph`lm4%nonC@3*ozClcFo zQQmSUcS#cZXg}_BEK_~Bo#y-Q)YgTRm8eqylR1KMl`ejli_U`A+(p#F7cJmjdiq^z zUM{G@jz?9(@79O??2DkZKGo^2J6W=ONj#0#^Y3bFFBdK)FP^$2#ty&#Cus%$-N3)U zUH_j405a8>_uJdu&F69K&J@KDWn%{6B=V$uM}Hv^UoHA(6+Obn@zgPWYFQ4C#^G#< z;B>%m+f91m?);M&R#MDn@vP%v)kZji{IOmCHE=xydai%JC4BNV^lX1&Zt#o z@~pV_jjiU}X-rpg9_6*v7Ht9Zou>d~1z6oy^0w7e4|g#azs+7OdKhZ8^jPaZJU_({*caB?cSS6OZA4Y(@oOQIn~*ny&uTr!H9Rg6}> zshV-<9NVZtfI7TgpD7jb|=Z%AYVUm85MTnva-Mt(1fh z0QQhS2(52c@!fy%5`OFgRa>-EAHxqq30RY4zhzw0HY3}4;&}z;3n^1!RgN>X9LkyPA8RJyo&h`5N~Jcn+R=%+MVq99OFvF7=v4P6v{5iwxJ zHk>t>o}b@jodYAJnUWSHX@L2i5CvvF9@y3YJXi5dd+V^w^Jbj1Kzpt3omnUDprq9C zvBD+cMO$lDcnUZwJ?&uPD*;=D66a53(L^2l;0UP4jA?=$F_}#*m1ZI?Slo!<$KCz> zQGWS~cyn`{OSVcrHE!^8m13^F$Ha5rbMQb#U(o*Dr7#O?T5Ct%1WfjpwOr7JPA@K$ zl7nIKxg=K(hnkp}+w1I1CsDqt-JmAfXqK1GfXAN)6M^b*+ldJxS{JSJSFrM_p+~lS zxP;Y^RI+QP5Avy~miOWt!^ol`rapgCdDE4r(sDEQ9)y+g|QG*Xz5qCwJR`@As8m8Nny}ZcbG)C-%x2#|C zGlU=l1j*UPk7fE1<4HIXnwY7f#04igOn36k&04b~K(F@&+K8jFggHu^Ui01<5O_V| zvP=lJ@M&bvceE{eZVAcgr*=1OV9xFI3xh}~>QEYz&+^E);Ef`FWCL9rlW$kd{=lAnSJKT!pmDj!tiAZ=ix_B_${^ZH7Jo-0E*DpP69)+}Muy;9BEZyq~9pAfBx#3IKU%+o@$ zJqzs`|N5bYuFhC6=u?N3qvv62-*+T#wU@zeH=4jH*tR*}MLPE?&6~$=lqn$N=lGnk zHtqr}PO$-)RB@c@=Du>`o9l^h@Waj>1OaJkT;gw#$qgfhZ*7+i(e8{6zt<@LB*qrC z0?t3uw7VdFRlm(|wd!R7Y_tyDy=K4ko3GcmoC7_4q>Hx95|Fbuc}cW-2Ivf@kN_Z5P$g-RUCFS+hFYTJ!s66j*&`s!F+?JFdnXt;sOfwH5esr8-ldCPSB& zfH@O7^!hK&M|MaBNw%nR_IT;NOxhMTj8+z)=}?ZtXS2>t6`gUS74U=(K0boI1BUtk zgT1#7imPk)L`fjHg#f`xLgVgEkRTm`JB_<_L*o)85H!$OfZ*;lPB*T>-Q6ufa0?{x zPQPdFOnu*-TT|zJr{>;UHS-Tmb?xfC_S(;~=lRKv=qTstN=g<%OBQ>2%ppu-C6^g1 zgN$0~7QOIwCN0?@P-4>9)Wpz%^G)8;pACg>GyRYRtlYO=WY5OReY~49cvlA)gphJN<>89 zmVfvjtn>rx;(j*Wr#S4!{`fRasbIz;GHiyOt=|5U1j{5mn#jT4(fP>l8Hz-lG*%Y1 z-%$SdpbQxIJcGAYxR#Z@e)gqWbbvXB43(MIX|4AwH${rLXH>WiSjxnrB-6#QnVC^S zWN@w&)Nr#V>yJ@56y-W;UqZ=$`(ZOFVQaRAGzD)nJDYTv%pkP}n44Q_X4l*>Gpt^e zL?YuxTu{mD3G`FdIn;EmCw9;NEoyI1#dsrXqqEMq+7l))`1G0i4BfR#!}7FEt#XOa z3+y*`i57tcycQG};$|+5s4;cmR+m>RDBc&Y-4Lw2UIP;2_vv6hr6GQ5{Rur-t+XN? z)RHL$h%^b5%ICePjvGYr><|Qg3aFnsE?SY{c7tXBl_Q z%Wp>e$v5`o(LM2Ke$dCAbAK(D>0$cVCL+INMf(*)uquvIl;>Rc-%Vd}KDA&@qd z8UkgXW1Z5fP>31ANK^$j=Ivi-PqqHo{bTkG&h~F4?(n~j8T+zPWPR30fxvD#lsTlO z8p<5>qCoLJ&KTeJ{hhz)o4*p4E!MB@q7Z48 z4&-sbGuG-s$o$DP8FtHP0e%G7Tn+QT0BNhESnU8Y<_Anv9{3NA+If+3r5%6w* zPgtS8e<`NS#x2~C1)WRMPc}+0M$lh^EhxvoR0RFJ_O73d+_^9L2FOuwS z#ee!`I2$YeCVY!B&8FlM>F+HzNO)9*%`$A$vj4G<=8{OCpptk0)K7o=1pZ?m2^Pwu{cR2UPht3W z^B+UdUPGF)TaEp%p_!lu~_JO)3w`^0)rO|7-yL--3IpvLj#ovx;F? zDh%x<3-E2G-JEko$Bw~l;L(`r1KI>;(!T>9^N$dk{{&RVrVGWV6uf=#Sw;aO+_aa< zjhN!SZ)yQ<6&wR6g+Z@;pAsFZ|I;-(=`m7shbY&w{B;ht!*FOPAx~%Y#tz|CL1h|^ zapoB1M-{jo9sYy|-lEg#<07tn0-QSByDKI&b!-D$e4K`6!)y)_&(-)SGPBV#!)etJ zHn&jE3fWF3as50Xdm*~9V+M_$i>4!)1@vDTwEX8-2Pnt^fG3n0n6BLPfl z+2mKzV%w+LCNo(ICwB(svvKuZaI%i%=V%U)Oa1=ZgQ+AO9yl z{OtPsD<8Gy|t)2;)E1tecY`i_z(Eqg_5D%6d%XE{R?g3mBCOj?26*U#! zH@`seVF6%4lT#ZWGrE8PW<=AB)UdU^muE!DrIBp;t}Lw=*VYIQqtaUzlx~+CY9j^9 ze#o};*;)1RO4eLg5UP|_$c=a_yw-#7L3br7{H(HHPTnp4S2wFweH15ymVM=9Vbq%% zc8ai-!Am8PyKs8HDpG_LGtk4nf=eTW`T%YoZ@CoIPt{J5ED;C9cyg1?r>vbWef@{?zHh;_BY6tLgoIPlMj7~9^$q?8^>_7!vG&TtHRvSi?WUaT zFa@bolYp;bjv7XJzitLAa$CXtT1w0f2`89Vv9~2b84KZg~v9}Vn)lmn4 zmuq0xg13nWM`8uMHHV#~6(>z98 z`X!>G!@W{^o-l2xUMQeZ^!W_H4J3@M>GJ0Kmd=(72kQMMzU*-HqrDbKdc3lQ@Ilka z5tjrp_v~2>=l<~7(Rz!%dl3i()vY8*qMwXLEMPa#5HV*)z!o&Pt=;s23){HvAj zq>>*lhlXvLJ3rxMt^C~+d=QiZb;y`^-@5Ac`0xh7*68SJ(hQG%nMOf%nRwA_1b&vrk86uW+X|c#)J^0>d=@s>l)ELYgShFGq^5H zrUp^|1a~ii*%DaP^-skkI-xI1B48|UwE2Lxd+!U-gugHMC$D(yrTT45dlWec zO&+S@-wLmT!*=A8KOxHEqyMa6Qf{B>j;__&f(wlta3uKUu|-*5bvd8x&lm4&8Xoef zIV3dnR;o^{X>ZPu|3HUkoWodKT96MO4;b~eqN{S9$;g*yD@&CbPeFP<%% zR|lio^=EubcFtC5i49Y$if+%Q-{C~}e9 zJLg@1$vC^G=P~oIx-2)HYv-rq6>E~SYlRLM1M!$%)hm;=G><=09u^?miKoWUW+YMd zIQj9T$?CTFd1i-^TU3=)jXA#4xN9Pq7UfA9RYN=EYSVSqkt>%ZMMD zOb3tCL{?h~oyWcN=UuOIU_6ViH6EszK{-B~a{fuqQZO2zkitlB)Epud+FwKD&AA__ z41fl(7C}zS1?bMIYLcRT{th}bPMKTstw`H%kjQss%CS28+1&|KbB`V6=yQ7>3Bn_5GpWzemDtO?dY__KQ^=^Gg7&4Pjg2J`i(Y!SDF`Abx)=EuEaX3W(*m zem!>5Py9c znp1qp_(!NT6{$Ag>avXUO=RU87!CTKcu?!r&bfwEX>ni4xW7~Rn=sjFmK7pd(H-?? z&1{(`IS3Ve3rgEGPj(s&@L=bls0EgqZxmR&#{&$Rd--m~(vdYf^m<@DOFY9ONWiX4 z&k&v&v!Z*e1z>t-s}~)|q2mHiY@$jnOAQW{PVJ#IdBQBq z`ZUB!572(N(mbNnl{0IPEF-3y;T67OrPu_xbuPx}-G_u|wzIrQ5kBnu#af2`JxP1a3Nza<*fbgI zN;Szq?V#@)=;Pa0m_Y(8CB5GPIWH7GL>XglUb6Hv%(%W4ixi}0Wm3|-SS|Eei>NKN zF=;}Vi1kIQlb5F*A^G}zlsZM_sG)16J%7e+E}tqUGQqC*xc!$5UsYO@v{*9b_IVDT zfR0A#0{^>mf2R)x5uHf^u7o1{Sq=tVW)Y1Eb`yEd;1SH(YpIa6AjZ7X(K3VYW5M19 zNx0#W0OR4tARLTn4>Ew)joSxv)M))`%ToKahlY-SDTqTu=eP>aE$p9sh;#FB$|k*V zzx^YStyHSb9RK*~P@Pi5$riI*ojqFEAjMmrqf==rcRg{ptzkPz@h8KPZ~MgDsh-5i zoq+g|P+IHQV}{wX0{uCyJa0i>w5(L?aKV5P+qHb23{dG21y?>_?F}KiY>FS-9n9) z%@ncpll$hIC-$GIHM73)Q-8@HPkq^9_NuI{YELt%^b`GLVMQwKEpDfp!zBwn*+Lg< z5^qy3hw}FxPfglqP{EkfJeM|Qta!6P22XctDbPR`cc?w4M=yV}fTGHfp zWm*pRA78331HG`5by><={WoX){j{gnmSmu`tw{BLfoxadI85i9Lp#)S)*FU?of3eW zfCk?L8)&L4p_eiU46A5PJ?`0oZ46oqb?q6-bSWKMqK!m}_&R7~-wAC6}Hce}gNcPFriM7-*ewC(K4mgMW4w4to zRW=em7>AjL>hC9|3Qbg@VfTVq$9v`BVD6i$^AD8WHm`<$p6U`f+V96xwZIo9Lpif$ zwYujJP_Y&G7Jf#YikX1E<@bMEbJ&#pwjcF%&G3t91NArgcK&^5YTlzPlm;T1wu3H{ zQvORsA27_qRM2&M2LJMx7GX_c^uA^t#nJEU?du%8dTq>$86$X2(`VHl_UF*XSaq?P ztN)ga`4CFptI`rK?>9bBYA;P{cb0BCvJ3<#gjko;k5o3dY~ z4@YEUF1|4mlCaQmnu%Aoagh_G8u(mua)J=zOtex#mVc!@)uuW=J?>6iU_<@&5P6`RBzLyRptwh50Ugd((`8 zD5FxF*U`#1=7g@E`w&U705Zcu&#rmmh|^+&W^v&5ik4HuqvI9eM706R5-y_ zVh!6ED{}>IUUCwY0ntUg=WN&;!uSZs+86#f8b-;9x}RNNc?Mb&I1LN7st>=m8S%pr zm4W%*_7RwdC}pw2GwMy7TeCK+)!2TYFISE5g9Nl1E8On0LOnc6hCRR>z>A6+tnnA6 zXuO>V^%fzUcO+x?YfN8m=O*Q-c}0gp61-2-R+IHNLidt_6`~BjU7>jh%ru25ry%u4 zYRX!;h@RAiWOq({8v((oE-c+k%opYzJt!|T@rcpbJfo{V1mhg{imd~i5iQ8%H5PDK z;1uqvL`&Zuqs#E6>-UoZ1}3C^!cbf&cgvnxKCT*bvD&_@=LBU;V1cobiP5)cI+e+Y zmKNgkpQ3jPJb}C+N7|JFQv&cww<`a#%D_}W821=3*8e|4O-4*^BNy@|dP(RzFPqqRapwR8e|kLVBU1JCJkZo4I=bd>U}xp3$PWc`Lf&t`@u3vT z@ZWt6{JWk?Dd4wgSrerJ1|&Zk2#@TKQ7dtff={FUPyU2}t~8(^WlFKkn4S5_m8HV^ zAkZKl$BEu4*?y?#!Bk0a&f0RVbS(OEBz%{TzdCTWtdtrG^V}D$Oo&oeJK7U29aYXT zS^05h?<&Eoh!IqAuH@Cc*~H+C72l`oQyfEbP{oku4KC1(XUH=eq{@|5V#_fPmkWue z+iPaCP0I>QymVe}ImxgTIhsBzh6>mmoUiGt+z5Z7qhw0c;1j*mu5tbb-q@{)&iXt< zlsDwzbAqeLp*g^)>ljJe*Y)(FQwXVAOzY_S&00pR+soOSLrN9qjSEcPA?3;aWBIRw6fF;QPXrcK;~l|{G^~uR@k%xI(OSD^o+n+B z&07r)%uP|kRP%+Mz46M)Mxb+RbnW6u4PPsVH_?s`U>VG0Uw-+M@gHhrlAje0oS)4V_MoB|V2 zC2Q+an{vW1rJ#X%4w3zc{(!xZUGxi%$|rfm#&H%J6*883A910ZA* zlZwhuCpsr|_mr2@BjKM}cjTUK8q1NbCZLyPZ6miF%Dw&6{q&C`>v0I`s{x;uxtqQQ z_c+sgWvMYWrv-zCy%{eGWosXVpT%N9GG@| zfzIl;Wk+kJeYEqeHb1R{rxUqu7`I~jQ6O<(p&5D);B#N#1_&ia1)Fn9lRWxyWDU^u z!dH%)9_s&j#|-J#PF^B1{W>ov|D-0x&(eKc)z6J|%1~y4os7hC{x}ewLBYPy~ppe2+_g9wGj%WVi7ZEWC=A zJrDFP?cg|M&r06Yi0%mhJ-c(J-bk0Ha0*iA8;MUM&rvF%cuYjiz*csR3yo(>Jz{o0H&=RuHD0MX?u&RD2Vr6>arA zUcS5U#g7zce#Pb$X)eY_121}>6kTeiJ~Zm)oii*lh%uiY3g+WV@x7GBPE~cKl=Aqe zqbz$wv5%(k%0zoV1p`44^bWN_fL@CZk5cXEORYu^3eGI+0jlGTSZG`W%s)^mVT_*&Md>#RlreQ5md&#{OyIcqiHy z|F>2HnC<@Y+E7&M=f-#0`muD}_U(&LVFUdp-{3>6>&~x4=g+RcC-W?)TFBNI<@4>J zR((;5?QGwc;zi?rFAu1D^0`lSKe0XyLg-{ai7v0ffvGW)%Mxk(y_Q|9lIS%wdym!U z$yi{wWWY@%o?w|^Lv=7o#d=#$x%IERfPI;)A~*rJ`b&C8cE^2xo!pDzB&|1XYDx3zk_caqhR*MieXx6ZYKy@~ZOyX;Z)E!^XFgeXtH4KkZY)Te zh{(AXUH;AfMSOlnL)Y}GhV31R!T>LZ=t70eM#e_$SOIbxQgD_*o=zejk5GXrp@px9 z1VIm`5Oa2GdXYviW2sZ7C0Va}EiqM?Za_#I@?p|>UZa+9iy!LTLmk`Agx6cBJlc#mNTEYkAg`&JcdLVCB4Ip&cRJKM!F znu@tb@CuEW;jRWM5LH!SQ4G3F5y1%!O~Yxer}J`Y1n-pJC<<67sPyg0^Va5=5EH@*WA@@b4Qp~(L*yMGFh@oreUFyXhbo0$Gt4%!^}1l z=BFZV#{7oPcEHwd)m!Q)|0KY0}QwuTCWW zf)u=qW2o%8;RVUv-ka|t6yjQ$2dphXjO|Wzgn9{L^Lp~)k@+v)Psb!@2Rb3x(OVOe zJg_lxQ=_g#H;6_1*rhmecVya*Umml}1%P(FSfoFlx%JCk-@;>@jY4FR!3OXX2$j$0 z=e67j})LSUu8DC#rA0M zOOR{oMW^@#apPFPspO&OBm~gjoP4r&yr!~ijqsK|w(1)}(8Gf0Q(jRW{>a<3%%-xs z{H1x)t;}NSrKq2`@Fh!1vkR!ccqOR2E$8>SDVdYk+_|nBG2n?#UCt}g^@>hrK=P<8 z?@K7m@559Pa;~VUF=~61oApJ=%jCoUS2Q2@(P`)~MGC-lrec1d9NOIuSy?_-ZWFWl z-n)2LMnxHiuWYBw%@{6%e{TF{E9~@0R^xcD(2vn1>*XrFdfUW|a5T9X0@f?*TUIZ{ zHwz#@DSI-r{2BBnY9f1xl46&dQ3E?C?h4ziZble$W)cNE1!pi4h!L{zQqGAT&@Pg<1#fyx*oYe*-%Y*od(3IiZ z?Nioq(iAb;%|9o)+I6N_HG0=&iF>j=aK4Y)T3qz%nF)GZ| ztlfme>X*$O_l}i5pMQ<{hL*7byx12xS{4XVZVJRV&>tl{AklCAZiBUB@I>P3cYcFA zsru^bpA#GdnyMSJ?)BArs0wNL2>EoMh5qDwGM%><6Hk7KY)~bOv%(*HI1$kkKFV*D zN$RDOtu;DcS1TxLjW@X0YaWKtSVr_Muyk}0=?%%k2qt zmQoOiQ1`LeZUlR4mJhwR3xAXq743*d_tZf*@Uipe(Z-UK`Z78L)=x>FQ`sD4%prvo zwVL84KY26f^9_hzxOV+8<4{H^cCt^m@#5yh%T^`may+om z{R(vwuyAZPn!i}S!}}UX?U&d>5g7sa{jd_)Sr$_n3Wai3G-p=0)=}ag?&=dIX^5Q0 zHQkJQ2%x$+Bg*bRs3Ahx!CEJH*81~6M;o@OtE-DItd%PBN+H4EWS_EsD|s{ms|6VT2d1+4MS{Jpo0~egDI*7z)ZAmx|@MA57Sq z1vCgdzb2{=E+SKhKAx2b9JB4MDM>9BKjgrh6o*b=}EGeQTjn7q}_WMK7~kK_X+@ z(eogA@u+@UrY}AcLI;vxzE~L$%Q;muumZrY6ko9@cU2W34UWH=b{r;$=9qxwSIRft zKh%$-&j z#Oq2DN!YXxn8uPLKr6GW=_j_}2m2Iq-NaEZry3AB(q}V1H-_;Q;_PW$<8HwDJ_S>Y zFH7T3DDi=->5@E~q3RsRE%oc5p06m?U3P-M(71RAaWi1EHCvogd-qG&7KqCUg^dga zV^cKN;WI3w`0)?A52RUh&)UW;XsLFTkVH-$_AhIIdkKY~Ed&Y1e656O50<1-px{!& zVb1Wc=W=XDMkjLnP1dg)MMb*~G1&|AGXF+=hgxPn_9cMz+eXWPP7o$nddH`f#H{@@ z^h4zf2YN1fUq&TXK7dI?ia26!Jh9~nRTb1c#@vi`NSpQjA+Fq;2QPoV2QywIFOnrM zbW@3jueq8wZSQGiCnweW4SGhA;b>E7Q3RWBlQnb9*JE{(yY%N^IKtoix}!sG+wd7 zw~U6Owx>oMsKYLJ1i2IfFHRLW2RF0~J#O#xt*P$rGqVvH7TpU}Vf0C|DZOUmr_H7lYd{GhmI-|~RY}|L+-qQa&FFoIkd=HoKs})5`S|SYG#i?f_p7zgr z(?CB>B-(O)vxI_Opuv7t=Z2)H`O6idyOj0=>C1nBB(Cq<;apFD9^+M)Btq1Jk}JrW z_ORnj(+4|~A81lgD9sh$IxI@5tG{H(cv(3XwY=QsZuqTL%$~iCP)=o%JNaZtxy3?* z`-C}AFdx9K7z*H~9M36TR&4z(5d?}ku7FS6r99}nczIln(>j*qB~~$^R=Q{5F=?lP zy?^f%zptSF{CBSCzsdpSXVz?MkJYWMsdIF{+)7&9i^--I+D7Afytb0r^85AknA@2F z;SJ%~YrNQ0(3PXWqU3NTk_?kPD)v(Xv_u_D^S`TzSd_r*^FCP6@xB5}u^i_sLu(hQ zM84L%)@d{!+!r|oDY$6VnWA)SrM4+$A$n?Rznp))^$GFXqSaGDd|fI0n$Qs65v=^t`h?p@h__-Ny>A_s+(7)Nn#KIH` z1_JY+i}+;1I$cRgT=N&qv~SZSldg^=&IcHEmgrcs`1C4qH2EZBOzR6halv>_j>&P=C--=#RsnMY8|=x)I691w^su3 z4o7a zhM9l~WG`~;Od7)yRqoPjnQb5t?mx0jHxN|*jpwav6O*v2lwbj*uFD{N=?OfYnMRb~ zAGox~{DlTuxME|EZaGJ7L%0fE@;Vn69Ml)3Rc6xcV z)9K4*%dK2i_Umm_f*2F&legmNO0n&Dl&QM3k`xSlP7BZHSbo9LX|{o$m2q1P20u8P zNfJhFbG8C2*M=>N6`h@({l&*rdS?r2@_Wfw_`ZJ^;cRtLqmXoD?-A>(NYiOgFa82Z zpx|=mqT8em2`o^`C4R~~Ad#^RW0fT9a`2TW+aKS~G;#E^w6#f46H45cux4vH#(;4GGu4MIH|xPNPWgqDD@^*ev8#wE?XMlnsn4!nz_1bgv9 zId2d#llgYD)R3*wIInwrzbW59ld7v{@Yb=Ds6BUokYS?97u8vUkO~C76M-Xjsa7l3 zdMZqM+=TxJd+Is<(sx9=Fz_@dc?_MT7b{_-QisC)OB|NOpVlnz1J(8UvF^6<4|$DW zPRS1MCDJnCKXu(!GL2j zLPB3$&p8w^J*NughER2+RhZXU@;F=QoikbqEKO=|W3`16ObWGtPTrkA70OyM_ly>ypnh=F%sY0jgj&aWF*e~K|?Xf8$A&RD|qPdJyf z6L&3y(TazGn(O{ky_OG2jwMWK6BSNOmQ9vi z#hz#@D_lhAa7S-j&6#U&=GImrM`x4=E^l`<{Z3LMM{mRq%LY+@b%5jjV`a$v{bPl* zhKb+igO=8mQ^jg;L7Md(+zq^2#*?b7!b;F0!oX0pmazw4^3Db|g@0&-n$xz|(G*Q^ zK*k|mc&Jo*Iw7`J2Dt0Gv^|9oA@0jQQeP^#TySPI?r$&nbIz?%eI^Ca5+>@00A1ZR*Zv-1GGr+JYXx!!!P;^MtPf<@Uqryc|P2T6BAI1&eY2yXj z`e0W#HzVUYiXzeFqX~X`4i!sk(Mle!?nhl4GgeMrh_i>2KR1@yWl$i?QsZ_^7>&ch zVxX~&BJY^5y5m93AK81J^?HmsTsiF`b76&?^+WPhJ$uzhW`-uUW~Asr5=>BG0Aroqgx0mX+}XOb2pyo+?T81LoeD;&OJ> zYo6@uH)pnX0n+0jZW$Q}zx(;zN#p0ebDw=IISK7IeyAEv!SeXRG%NV9yDBbo?cuqV zQQ*4b0!OOewnm*kp2gMpPh)Pqre6Bnwr-*7K&jyB={{f5Waw(Yhd|sAlzbSNT5#uO zP0FPIWF|=ZG-_WA_;!5NT);s$KlhrBt56+2O%RYmAkfr>r2SJ7@Yx8rlL42la^$D@iwmYzc*g#( zmlwB!Gy#;8TeE@n3DYm7%)bU)58+^ULFqg(Mc?vJ?v?d!gE7sClAvzP*_6q|2>wJi ze5>NYOG^fkG4bi$b66<8#t>x3Jz>E(gsi?cU}wi!TzkXCEi3cK^8I5=z>{56Y$OPW z3J9&IV~C$B5SmHq z4vrSazYK{VwRiAUNv?8AzOCUefB<9@>Ybv+h=*jbP%8TL5v}0j14F@?8!sHmrNxIL zvgZ=<8^P)=EZre6J_SGB>fXt1#_4VFtugvJKkxw2AVzdX(&Ux?nFpOM~DttU;3q@4Ax}x=q z7G;y$t*KN*x&iWzX*c!Zh4Cw|pFHYlb_V-k*jDA1IJa6BfDTIC2-ef4mj!zpm8?FN z(E9{Om+eO*ScR=ox*XGIRC*JW)9xUGH*?C4EC#RQzfdgcc~Bmb@`@`~cixndw-ZcM z)ZF+1)gug_y*bp>6nd4U31Z{Rr$7lc<~E(H-FSV1f0XfpOtm7;l_sTO3j63VbYjs% z2b@-CTYI<)*=7Ruvl`d|#p38*%-H4^u9dQ&{IY1C z>8k|bju*#4%@=-N4$t#Jkz-9-bX8?P?Wjqjg=3SsMJrFXnrgJt{W#ewqb$}s@5J}P z7kCC-0KJU7J`^xA?tAa!k4vGS7&~S*c@rO1oU4o+hj&PRAQA(PZ|XX%$M4-4JF7<*0Gv-*6y6~iJ>2<9xwidX80Fc&lgA3 zDJ!t&W#ttu-@S4Z7x-O_7nM9O$2wmwBkwo{IpBH79d1Iua>Mj7-5ilb-%c{W5s;lG z+JE0-9nSw@?x$b~^MX~fyxN_eS^V>+KAlu)Xul3Xn{x~N8l|YX^dqbR-!^e5kWDfl zAnl~nHg75g+DN*bB}V+iPcxb{bT2YN{Gnw%^8GauUoQx3XZ^ctM(8>q(M z)+o79sLFEP$VERDV=HWAvQZK38FO%8m8w0{xlIy2k~pRDawBHvVzi)V1m_k(^6ew^ z*6sa`9&P1MV5zsM((K97;mwj_>K1Ve zFow=Dxhu;5&MB+LqTGm&Un)BY;6u!8PwiY#t%)xiaM7$_#SSkJBZOb!cf4I2pn+!1 zy*Y=4aKc9i+N`72csat90CKyDK^uI*Lu%*vQJ#)6CijVhn{8~MyDF8|F9L_U&Rjmv z0e7CeaXh*r+W?!ikL-CAJF!0*tl|_QhX5DK7bmt^1};47-oCRjZw;$wnX;%20Q{h1 zK1B|q7if!1E*m6-gxK3rF(2iMBp-Uex&Z-mo2^rEN&}$^?^E!QF7!Pazcnu?U;F|A z6Z*t~49(u#>Enuii)r#7E#Jug?x(R7f#boY=B}2hBW}~}-%Wn}4tBxD3K_?^uISo& zAnpFae;LN^dY#5Za6FYV*N2C&X6Y+;G-^Z!N=aj`0cetE=)~iT;PZs-|pW3 zycJQmC`7@+*8=cs0!IL~$Nf=mx!h6p-bz|->`lo^vT|UKm}dU)I~`yr;OVO9k!E1G zVqu^|jPSAIG2@?(Yqh!nVW;(&mYT7Z{iV-DBg#bh2V$1X4TUYa2<{!sEXC*HXgum8 z(iAA>HG<83(*0_3cS?7ioS!4=+!-R50Ls`;=}U8t#Eo6wWnxwRf5JFzW&41o;p3hzX0^vuXQCEq7T3Cq+mCH5?7SDSR+G{LSl zAXwklMbyds&V#T%=$d4194R%3AN~IIeQK~oaOH_jqD3^<)L>lUC#(cQajL1hbGlT2 z#(I}w9=~LdP-{f;n_WF<-!6@1#+76l!`A3a|60!FmX#FZGSEOTLaJ|r%Nv5?JFD6s zW@lfa7|`~P?igoTU+8kUlSe;qZLE}D?kv@2>;^-Ya0bV)1l?38f4Ubn3Ta4KY{@a? zCM|lA0ND!SngAIrw2nf7FYWi$5>5tM4`^x>o3;{ImOp;ttJEUo3k+vi@hC6fqGinq zGxx-BQ@t5@&m(04S;1ytpr!_FK$VNHcTv=9|G=uFCKZX7ISQ3|gEtanT=y&w@0TcQ-5TN9Qh{g%ufm186;E<4H?Ucj92hj@o%qBEHw!tIkBD3SG6Zq>xJ?#V$lIBDF0DK47p!2xt zx%_z?{9SAAmOSM6BWvEGsiKdw&9H!`M9rQLrKK%~&@5+z%!)TUS-QuDA9?H4+$0@4 zwS7^te(y@xC-+xARzm8wwMk^vs7WEvZq%$!>9P|iWjI*z-D@vmBd&>seTdt!L31q3 zy+xAl=J8om<}of7($OFv+WMy;I2G6Dt_H@6-}v}ql5TB`sOGD(+76jQIne8Lv<#C*RZc*oxyYs#>>tn=*{-&6xm&@;j&IJm;){b6r!KS>m;txw?w!4v7s?HSas3DJY2CQ|V51`M)Qz6SFFy z1e1R-OqUQR!Dpt_#OeAWdZd$!3UGp?)tq|UsN<)q)>%N>ukO@~U(m$SypMH`TP=$Q z?VTA1-P54_03JDxoeJlgh^5pc*y``=a<#1(TJjP2wDQfs_iF6d37P|e5uutoK8G$W z>-UeXJ7Xol_eq94>?Zs;tZ|Eh!p8DJdko|pTHsYgkp2f}sd;k&G`-)UT5H+9!E#B&U=ua;<$Id;ZQN3q z%jF;+Aj&*gQM!V!FoRWRUHT?H}{_D`Azbh56Eq=lJn$jnk zxY56(wr$VCasJ;eMr6X4+RB|%Kg%vKu-)6q{Yc%=8>AEYlY=pN{5QW^Yr+X@eEL|T z=SA5t5*<@6fnuK))3GiuymIp)Ae^7tAprE<0R4()V2zR0s-AGp-9w} zvrgB~X5e%~pl{cBrE`=8)(TN(SRABD=JlQoC1uJRZMrNKl@h}~kWIfD4vlp+hv+($ zy{CX^$iRkKFwth(>5szY0o!L@8^?y6!rIeUh12rxmVslC5(7^~=;$C@O!WuqBGA~>iPf7>rGX3U&R z^nxs*{-unKCib`^SpZZ*;2j7+v_PB&LAhnD1@S3oQev!)nK4e1&X-U@R z4Y$6)MXIXS3bEcvGu4s)u?Is~Jr>tsSl2W*`4n2plMN49F#Xg)Cf+CB`K7&te=>{M zdz7kAcx*3I7IMO}tA1OoSEA>evZE38_~v~nRVb~8wowE5t4@?1+B`+bS~xuV#ZV#O z<KKp!hMPyme^YK0@l!Zp%&nF8cwl{$b27MnEZ|*RB2t^UBrBpPysF3kB5UR3 zN;g2|Lf_#|X+jP*7M_0diL2b7;)Hu^KD57XzmlAb(#SHJsFqQ--wOgNL13I#=0EuuA2 zYD&D!uO9z^G&0_RyNu+`cS%yIC13B1QS__K63nP6-=Rh^7>{q&WU9_swpPK^3Jr`U z94(ot28km|Bcl^VRwFjTM#oEe!A5YSYC?72SkbLK|xIW|M3|uelM6D%E zjdU?b!Eq~QfR0$5#uQHk6O+9_|CsT|ekl=P)yo~Mg0`QS;+Sq#C~t$lu$M^cD%w)I z6_{&Rj->X`C3n>S8hY22vRwrhZ1WW&`&xNN(9}s=EoMZL9;&KyjLC>bA~NePE!?~U zL|+~LB5bRi$taa4iio|L;^q4=OvG0y7503Q1oP`ogvAc=&P?^u1=zc5MXRzpV}$iM zw;^Nsv>7rk|B3}ksX@SE)>Cia zgY2KFTsLK#VmPDUSLewrW6_o&NQ`si~iNN|(?`7Lgins*!97#zmNYW3GCJ?02m^ zD>fB%Y#hl+n5Q%y5S26vz7!DrL|+Ol=DB3*k=1-kQopuD9qa1DN5I{V)5875^++8h zgvPkdwX>wQUv(17yqr)f{6rk0AmR-q5$OQU^kAY{;Y|V9f8SC*@BJgQk%qT#nl5jV zVftNo@Ys6`&SecV1Yx(1%E#A_u!hnyrvrO(-kpHD=NDH|7$sii#*cf;N+W^x&i&pOcXLd>T&+G+3zL?dpNOhC0`JH zl>YVCz(L1+Z7@>vF}X)+S}(i0V5dnbIK6YIwAzTtk?0q(%qUoK;mt(W*n zeJeK>T2sdr>{~vJY*tYt>yehWFBDPAZ_G9E3Yy&xJ~S^mEkL;SooSB3U6(& z)WR$cQU0tEzbhkH_JD3Ay_!KG%{4PxnY*Qs8bNa$N8xWi*PmxMF8`qv$4FU4>a_JZ z(Z`JE3|y?(f0P;b!_x z-0M^V7&a!t2s43wj!N$p#L=THh3gvGd@ZeA%{w-WX{#w3I8SWJ)7ZH;ZryJd9%P(- z?MObcm-;3w3!A)NBH8vSahrDh?CJc&lH0;3Ht;MBIn(ZFHzyB3vP!f8@vAar%Kk3z zveez7=e00-`WRQD+{ z+Mr*o0J5#(cQvIci>%ll;VG>^g1nez+MWi*%u)p3&LcqhsNeW9#9MTAyn3EV3tr)?ddSsg|Q-bu~6qnMtx>9+agA|5BYi zi_4BjzSU3VwRt`pCwqD87kAfl_1N+UG~(Nz?&YdE#S=-^ee(3j)tn=AjkJ46CC*$p zSpDhYmIRRSwNzw2wH2-U>#|JNkpGDilgL=&Ds{D(Pcmz|sx~oW1dyj5ty6f67>z|&Cs~3f>#vd|n&+D= z>$y}~aa`O0y~kdf1L?yUM>!dSImP%|;MK$mWlRD1J=bpMa8o8iO6(R`r9& zg4R-A-MuQ|r^Sv4j4GC4{0MCMy@?84TkR&d*^lrdEO(lL2M)gMELG4dC?~p1oc#dt z2lNV(rf`$}PzRoY!K&vL;maa2+sy6~=H$d(pKefa&!g;wqj3*Xl+&F&5P`E@Azq3Q)3uP z{^<**C%K#G{#PQ{hCXz3;&g#^rd@=qMNLLGtA6EPLFOYG9qAE^TO{{;76+aKMJWI@ zC{eX(Be3cnr;a5yXoXjn-Vmc;jZI@1`fR~K;I79dqhUSs@@CNp81xbZQk9%^S{te+ zET>cEGxiY-ZMf3ga@4-XSp;*$fpKSlKsX@veW95;E2>a-nyC!ki$R)T;!jDHp8b?Y zp~wPk28EOb6v7yhWQxu8_V(#~qxK##KgZ>tR3|dfhtQJH#bwm-co4eK6;b3qiv!VV zMSyNpbHrLef`^=nS%@^#>AF;VLDmyT_jgdAq>Uvs;<2_pGHvLic?uR)@mfs?J;?ZNh6Eh-!gjtmuc$85E&Vpr>A;msHZp{s(ydS*Hw#)_d_;^>y%Z1MQlFZ=WL za%ZVa&sfk&RlS1+hCcH&`I*e#x?vX}`MUc0Srsf8*^|b%KD1RhB+|$oRR{HH7HKl+ zL`2=6G5higABp!GE0+{1vsjxaL}b524vKb#e8t+o=e7yzbu9PKd7Xjqwk5={JZd}& zs(v}SGfqOBwCX8N=H zmHz-uLP|)iOjTc4NETCZ1PDz6RVW4!C1ySOFTSJW{s9fCAa(&L7;eGj-yykKl9GGU zXn7zdz{i);*>9HjQH%HO|9bxF9Rs~)ri(HG)znXsSR3jeP|;U zo}CA&O2oaWd*QOAEn2Kco5LB3VJziSB~!2Pp3_D9H*E3V@a&XH%kZKGz1XFX>Zqu6 z@9{A3I6i-81#jcL^9E~YJT5Gp%}nU=jk)PcHOnt*I*MG7d(VP^_<4#}16WaAC$7iI zTFO|iWE0wLsyav6PeKt=95?c0--Ba6C4GudyQ%epX6-oLSfJ-EXehnIa)a)XhgIvp z%W3>~j~?6so8GDYx}b;p0xN>8v^H={)_31LAm{xXT49B7{nV!0M4ayQ3HU9u)W~5M_%WH}2e`)oiegH!;xRM}5Zn^4W^APly#*M$vg^*sl>U;I&zF5+4Xf zqmpv+eaeTjRY*ZBO&BlB@gadGc5d7+9l`axyGUAvnwbr#3ENLApOEn=x=4SiXB5tQ z2B+o1V>5o$?!J6ik4IbM7emPf-v?G&Avsu-D!y3*X!)pYj}mpT7{-MKAdb1$LXYZL6}HE9x+~L#P||bc=epoGSuqSfOj%?}Dz5JcT6}CDg_~%7J_)soU!tTbgRalqMJAU$RZ`C6Ij+#i5KJ zy!rXe>XbDiZji^hn>P(AqS0cYF|5=RPy2<-6;84mF+-U{DoYhsr^K((YEn&~n^67M zYs(O#7;KTbZ0YBfHqBdNlzICieZqH4ExToNWuNP2`NQj}AGHlil7z&sr!1p~>$^7T z+eV;{sBI3Llp6%CrSGoWxT>mrng_~Kl^bGnV2xg$99|uCKhS7jXCoLMz#p3dJeGqy zz7D|4a@fDt7V=yG^7w3d3XLb$chsTN#vgULUlev(6TdH^{8k`Xw&zaL``BhRRbcW$ zayyc*`v^0X=9#37ZcQkcCwUBnc)jSqtChd7_5V;a*0X_#AVe=>Z?Z=*{Me8gl1mle z=po~+ZCYvvdfhs=K3hePuNwd;e@ebr&Czrf2`M&Lx!Imh0u`ww2OkT@+rL^z8G#@C zOeQP;hu{@4b+OMpL^r#Y+M_(9!~f#jotuUf;ybkId*siAuaT8!jYb7@+BqsNYkxo( zA3oFCFG+3lzJoqkH$X&s6F9hQ(=f%lI0ObSd74Znf4AS_l(qUHw`Vsj8SaznbRC2; zv^J22!9(fO{IU|Nrw-dSR+Ta2CxeDKPuf-Ju?k9CrHJL%g7NJ!DO>? zOWN0u@%&9T{{mJWboQ~^`q$jOOYB@2Ygv1FIDpM*2Nqe;@1X0?^2118N75(7l5&Ga zB?dcA{Kp7bA+`McZ;BV-6f$cTu&K*u7Adx*>LHbQjV$uu+#RU57Rt2F9Yv1Ny7`0~ z_acR(8P=m(o9@otc)ha%Hn;yoq9Q`P#TR^VLz$oWLS7_>ZoGCJWEsK1^5x<$l~h-c$Lhhp5dH84>-f;&@y96LAg_~0`MkAgOdt0006_p(M(o()_W{<7B z=)=*`0K;QsQ#LZX98 zbP((iC7vzVPNYU!OQI&^dE&uUisVsXj13DV9Q4VFB5y_yS1-!H^?CfZGp3j@R;lZu zd>lS{DWZ%lmleDqIWV>gA)nA+SOVWf+pmnB3e8z7hR~*n!s%3p8Wqy0RGnpiO&*N! z+Rv9>QpgZYv#(Dd9aD$PSKledis&jUyu4e4-X&Md2u0|~ugPs?9O$%WoE_U3Nv$u@ zLOnRM(NnsD%CvpcjTPbm3;!_75uW&#rpwTYNq~i@Ty&pz>f$PF zS*xv{bFqGaT%jSpaZUNNMdzxwPUiCBiddP;`rHxga@XjE44YCX9>#}jS;przC|0=+ z#}sIJ*2|rAo=rheX2@q!sF6A*_A>~cX8%3fsJ^0s3F0wvlm7wu>g2s^q0vMe@(Ck5 zZD%?*+W5S5P1@L)Qu)=@z`z6TSB(Md^Nwa2g49-v)j0vV-T?x=kcIAo@}L6y>xHtm zM2M@W=sljX4CU){FZ7>se?SR7piZ_Z#|Sq@t1Pak*y;wMf~5<{VDZ4%Vi{J zw@E0laNgZzX@fniQ@o<3pc6i|Gqv0GU;KHx_RwYIJ22-vc4kU#5#{M65|ewdD_9jX z*p@Y451-!2EYV>v7$J37jJ2A{}JEE{M za-5u;*?DdpUBG^o%!UD3HH5_2Z}Iq}8m#!%m91v4Usr_~+c> z$g7w^%3cO+h%<2|ru^OvblPO-zJ2U}Dw3t0Tu>J=L~F-KFdpUslef=bHRHF1o@J^< zE7zwW9$r26Wtdkk$rBnXed#GeqbB89daIK`!JrI99Bs~)m9eS&al+o=N;Uv<0BorW z5(s*Qg3R8&%<2R{QRoYiUD)!`q?1?}=4rfO90=H*25; zWlk3v?!}wp27Rh%Dt^I?)+c}L8rC~rC#ntastFW1U6!>;=Oa!F*$nhMu_Q)w3ryR@ z%X)$|NdMQwq2k~X$MgW8*!Y>y&J~ucbZUqW3;7!Sx!kZRoQE$i^UnC&^L!MrwoYGa_vpVnq(N;QV`20bell%%vA{f3?(S66>-Rdm z%y?<{)Hh7eF=KD*EOU&~^!zyknV{7uTGohe)y_S)!zMp5;zY&fOeQ`HLcE=S5EYun`wF=Nyq5&YgWFtDBl01o(pRAb+2k(JTMMG5FG^KHU50_N@#~G6VHj z(Hae3vh#E;(7)qI zb2`svc_sACGQUx@a`8;!)$G{E`m+;z+X%eKT(C0|ZR{9|TZOQ%QUY^4Y=)hx+hoDH z5AkgwJ(-phZ&fKBE;176;k77ZSJ#$fWpCkw>B&9lNh|RO3D8m3og5;&>o!!yRcH<1{l@bgfUkEgKrbg-hGlg~?Smu~G|MbR3D`j6E zL*?AY%v^abe$|cm=~0DuiJ$(bmuU~On~G7_e3MJXCp0i&}8egaOJ4Cs5{# z3yEt|X`Cs0NPVWT)bZ|6oraF8#Vjpo2g>0^8Cyxd8W+rTTK3#Z;#iDD*# zjou*q+jkP=tVQIPuwYRRW-7h9I|{%OsgBIPWY_UWb?Am=%Xd`k$Xj@`6Gg*D{hK_PZLI;0(5Okh94U~c(BL>WDmxg0aP68VgQx5J zG8?wEw6)i_*GwMfYX)y^=;m3{KT1dl(#A;Q(*sF82j*i)!3D6e^p z_b0@bt7A*dx0)LjU1Ahl?{jh~fVr?=FSA!6;^%_PqSh9|Ubf`v!Gb%@< v3KT`LIzg8T2TiZFFFuS5WQ&b z;19B!pK?!Ptzg$)W(JE|B@Le`lC$yz=wQkV!ZWl5 z_#GJ}E$nZoCoF8hoC_L z#nBFtU&m8F<1Mw+k}#{XC8w>^4F$2E`DchZe8h4SV`%bk;is63mu}2h zP~k|!YO^ChhZ8tQ^FWV}ZstPA5?HTv?%CY%bzYSpI2#RGI@FPQOb*G_j8OdcNB+WB zBKIYJUs+(3nOl3>k$Q6dt+ze`gD2h*?{?g3^DKl2?^JLAIc0{}R$HZ` zxn`4gG%sKwBo27ZoNd7_D{jfYt4W(X{@pVD|I!kjSWWMGp?Kb?(~i}V?R7fExEaQ{ zOIm`dc!-v;6TaSP<-n;Sypsn<#PxkKK|F|cJQT&I0ijj=(QePrWWrJ?R(S--3Y(PK zBKZ1A%a)>LVo~4N;MUpqhx$9C3E3EaHey5+Hje0**s3#C&j?u|E#=_t7*$SmCRJB>4H%Sccx*!A||Pk!}v2PpnT=wbQ=3=Bw@}lN-2SHA_}rTcr9~2~}`p zZa=Wd#%g#YHha(J!J{K2Vqvq%=it^5H; zZ*}g8$_eh=bdhiXtLX_T7l}URl^H0+eywWKwP3_nNQ%APDc8N|)ky8Vx{CCGH97vU zo4JA-Gse?CT)1qwD3wDto#Ec&51+H#GkPU_QI5%NDtVtl6HBd{p}Vb>4Kez zI`74Hw3={f@fMw1E;TL=>QT>y@1K!1({oPX{ z)Rx}enU7gqbHZYJ=Gierx@nYj>{>*jUVV(jrvN~p42rlO(U@vcB1|td)Qc2C>?`_M zH6@o#Ka(3Y%S`TM*c1V&o-EmkbxFSwQXAgjR6*;2~tk zoKXM!3mfb5s84evTX}XAv!=B0E8o1RYtSVHkiDwS@LQqUu504wR&W~BsnP1~i`bVQ zi%!@+9w5ZHFZ($_ydK#7P;Pc_YY%?XQV(-|R+gP{<>U1&(ShP4hE>gE8rwRWeu5M6 ze7CD}@Xy<<`lhG}`#jCF@fGXI>ucQe3TkqVn$}Q&4#~vKpg5a7U4Cp{U(@tLlD5Y& z(=;-j%$^YmW+S+tBT&r$nX9g*p)q2w>1!2yDK9NfrYatHliZWD^80#%(B-bH^jb43!XL}oC+dl)>kt}Sm_tDuJ2DV=%imV7qF4B z;G0^c&uv-=W?=`1tzY<&$hjpg@6R9*SMrXTg8_6nA%-kHw0(+gqG8DjfiY1Hk%@) zXMz5@?djvI{nA&>==;=aj;p-(tA|*Qv#L@ zf4)w+bF;QF1yN{NbAb95wMG~e0_AG>PFt!IWAhU9QrT&%2Cb=)GP9mks7d_e*Zyzh zvi}5`Og&TOyw2X>grCYLO704L2fsQ``yJU{X3Y?kbB7g~J4?S&U!Sm4nZ)%RgmSq- zd|e(8R;MnnCw^dZZYkvAc;u(=2Ni5=VRwNzF&Xch>xumYo4LalaOF{;{1n3;(UScN zshX#Y-oXV|TX!U}Ik-Yg^Pzo6bOeKBDhyL@>#)M&tI5`5mC6F^vIklQ!(V+hV0+S~ zL0i_+0}=I}teB1$0wSKJ*Qd*sy93M2ZA{%L5L~zWlKkwDnKZ4$%>d0;44$_&*eX~R z_pf%kPmLAvZYdSUA}X(`Eoi5_wRyyz_;}@?u^+MKL60%&2b| z;ZDgX58Usdh9ypW35`M4&xa-5F z^C1Y65B5`V(?>huN6wgQ`QAcV*}5csu{?e#otP<_AgIWAp{?GQ?@jQEUzMa%D9 zE=YMo7~z*o!GQ}3<5~SFw!^w`xg)0ny}V#WLQi68DT1CXY@+gI?&YeoHgX8AVU8W& z-S*^86<5DGp6of_}R4o&8EPI8mEPessf9jqr*XozfGYmzK)u2BAXiRGbsRX|2+nWj@;%q;IPIHgi?Mu9RNa8 z+PIce_nr|?)cWE|+iM+{WqHRL_?%qC*C5|+bPsF}m3BMp^i{vgn_w)h3e)%>8McAG z5zlk+o|0K6y0F4L$+4euE;k|G6qxC5)UncPxBrgHxe{)#G8oB!i!pkYujQ0s7$p1! z6N$1Fg3tejm1fGKv6d7PA&se=xZu55iCd_uHuR(bWD@{P>8i4!lV+`c6)IZvmAbMxhuw;nk0nJltfpIRYf@v~8_0y}`e(h^|RLl9r; zdi9w+0S8~POwk>j5V`RjY`aAF3ar@b1 za5nAM*T<%SV0>KO)`|VReVZSUWC@06K9{?`CJn03e${Hf=7U^IHp9Ic5>|ao<`24H zf?Vaxu3?1x)hxm7ez@x%TQ@+r6~W^JRv@8Uv*4!$F6Wlu6TrHORlMS$QuMEEjBZ$W z@7Yn>lJ4SCm(Ak!!pAYP(&}Wf?X^080Te1@W@8-erFoM@!?}G9c<34|G8X)l=%>J~ z%poe1T%W)I_3yCV57}#NKmH@#@_(}IzpaXjnnL0&xQ75MdBfRT&FSxnLSGrH=+m2v zK|dk~Q8wUay~0OLiT5`Keyc!Y{5m5>ikr3#+@1aQ6u4G8a{hpN)UK8kA3w3SpECXd z{l*6-%LK{)c*Pf{{s)wa;dGBKelLyWsvI_a=LoD{#Ryk!@cnMW#Nb7KV?nS-RH{ds zFO3D#*8eC^1)gf(=>qVRPk?O)TnWR;?3%wH5M94-a=r!zc)GHGKp|Odw&Qx4|2RVS zA3s%>tPE{D;mCbwr4n`yWUA<6NHn>*W957XDF_|El?aG?l-%;(s;!f3%c; zUGsnI@Sx(ifJn!P>JLbY2Vp7MWz~T>to!BTQ)QPF-zWdx?4+3f~;3F&UgICsMXDi#!uf)B9AReO3Z`03} zXE#5mG`8diW+@ViC;tAvG9m{n;J;Yd_3ssup-eKWRcP*eWH{nTfa7}y90aQf=fsEBh2I&TI7}?>j@;~iWlm#$G^XB zx&$aQ?l~WOV-f6lQ!Hmytj#~Jc#0%e8HQSDz>)YtnBOih=JDP583k=nQOBJ7_t)-RLyr$Vqu5kYxq@v zKp8OcYoMn9x|A^8KcF##%)33muINKd8>{PY|Iwn6qJOK6qS$wpU9k*{(&&vB;Lg7atozXAS~e~178 literal 0 HcmV?d00001 diff --git a/integrations/amazon-security-lake/images/asl-overview.jpeg b/integrations/amazon-security-lake/images/asl-overview.jpeg new file mode 100644 index 0000000000000000000000000000000000000000..294cf4024ba496ee1a94b137a63772b89308e8f9 GIT binary patch literal 33327 zcmeFZ2Ut_xwl2I7q*nz51tNliARr*UL`0g1ROv-Py7XS7A|N0jT|fv$q!W=|1f(Oq z214(>gc?FfZoa+Gx#!#a-2Lsd&;9SS_y0U6IALaGt+>WoV~#oAcf51qCUElr?Gr^6 zMSy?+00{6u0B#D92S|yDNr*3#l8}&)k&%*9(o<1VP*5^oxk^LNdL6{ZdYy&kCMQ4F z&0F_4SXj8l?%umE_~5|<5SN6ExR5lz@B^XWzJ!2`jEs_kl8K6nNr;_=UFaWv;hF(D zQi2ymMT7*mfJ<})gmeVBHUNY_&&vdVdIA6TBDh3IbeWihl#HALze6Q0aEXAB@DdT> z<;z4w_`L)1p94g6m#?r3$`N1HG$*;`N-y*#Hj9+wQQ1!ht)YERVGFmnWaNz3n3%8M zzQe_Rm*;_qsF=8fr2JzAMI~jGC)zsCb@lWO3@u+;S=-p!*}HpqdU^Z!`USrW2@QK6 z9uXIxkeHPGDJ3;K=S%L_y!?W~@8uPhRn;}MbuF!J?H!$6-M@xMM#skC6O)LA#iiwy z)wT7FP2|Dh(ecSC>J0sxT?7E(pUuMm{48{Y`&h%U1W z5?_(iBr$irdQ0dHDgC3^tg@eE9Ku@r3>I!f&XUrn9xmH8TA zPrRH5FcfTKlzvtS!6>Qiu<3t zg>oCuE}()8pncj(v57qF=(*WR`dntixd68A z_iv#nT6@kB{@L+y2Dk|6?A4SzI@NRF^3_{8*h`GBALJK8ETHGwI}n6-kYZnx#niP# z=$?%=27lGcb~HM_n&g&@@|D_Ok?s`i?RIXYdD$kXjv*BR>@*F&+a)_YIFN6pzH=t) zjps4igH9gOY2p9^3hlr@Fdi_@F1H-vA0FRigo}`|S$P>JkY;+qjUr}lI%)lmijGcxBhd$lvFd z$*?+a;Hc(iU>DohB7w*UDA;QG=-5$;B^`sUr)7>pQ3(Lq)z1Tqz(~PRu+|a>ffL8vUT<1;N?zfvcOB=^8={0= z^XB560s90)rA;|P&$f#6>8n2~2va1qJ@X---k?qGkijx_Nq9H!{cfK1^eDu_>wqmK$wLuBb!r3ZlG0#6qj+L&D(J z`jhSE_t6Hf`~ip^#66dyqF$(8@ufk(93}0p`SeFIHlIGgYopjM&P1lrUf0njt-7te zz;o*KyKrnYHc?A}(Z|g#8$@fT<)mvh>C4<@)}Tlu7ahp^VF-I;)6fm&Hmo{jT{XB@ z%0Ikd(6E)hoTz)lrO78$LV|EEqE5Xv-LDPh(Q}c|sW!IjygDV7-YxL3ss6lG207@y zPO#o-JWLE_I2(JVkWhQDD?6BBv?S4LLz0Dwl6PHnyfoBeyp{Tj-{R`!xLuJu!b4|Z z5A+dCVx*C2t4h=MP(>7aug-I9t1^40k43B96@G<>SeI3HgGjd-<h(sPqTjqnCUvqpQu=CXCOV@1Yo}w-iOY}nmNzb!ib%9vN3V9u z@LKbx`R?d$-d&8F8S(oSP0rBaM)TD2huf_1e!}c6HJMivMl#8t_6Mj&rc{aE0lCc2 zL#LgH=r$t0J&3Xgk=UWdQtW(Pu82EZ`(B@xei0+=)FvGpJ5_26d_y)u3sKfM!1!B5 zV}=yj?FfJK>%|K>=dBL+nL9|C`$?Cibr^8~orlU!gP4TTr{p$j%W~?XgV+mflfL)!?eaabu&ot#g*Y`K5rXmkaKBCw4xqM?EYxCe-QJfO&V^BjVu>*JRwoN7>~szG+S` zNyu;$eler9g*nT#Y@Xohghso|zZjwd_16IZ)R(55gI_~(BMnEsgo_e;)IB1`0k!ea z#hoogO$aKmSn|tvbxW3U><^v%$8~=!%%K!9ybHXVHhJ=} zPG39bCM{jo{hZ5ow-NVAyKW@b#YWE)4#V59Ab*8AHSebm*7t~7c7@)-?g@W(of}T~ zTvQ|fWyZ5-I8w5F@NVjM-D6pUbrjd``4NnJxPiCWCsJNj^@faSM}OBQ;}waN&;7$N zH0tZYDgC`p9?{@xR`DC(d}z#6qsUc=lUkqcpKqvRXMHElk`vrZuEqZMn{^-smS1eCs z$C0=+$o??qYJlYUF-lrn+TCt{W(#5&^+Fh&c)j^~r0}aA!Kv4xAE=LqQU0xUNhwP) zSGV*Y^*M^T+M6p|S^M;AZcDv+DADgDlTTQj9l;I!H`=9)_>;YD2hfhXz`6W3@}j8c zywPc>iEXM}k5{a9=qF96M}CPD;$Y_9f_|y~a_<{rmJ20tl${2F0{y>4yUfZcu`pPH zDlHv9Sm4VsaMD?Rx}azrs1A-YEpDO;48ziyaGVSDVh7IY!B&T|r-|QQ4Kz;c<^uGZ z3jds@M}<^GTV@%qGk#Qe_bf4{aHp!09Pd+e6M3O}yden3O6w;#A)H)#FiVl3h1 zPo8J7#LsWIk-kdr1P+@Q%Xb?&94K;r)caIAR&o@|l$3N#S%)tiEV^^TR(23+(c}d6 zE`&0+gtOc*&KhJ!HCq*X)p&bvIA4O7=&e5Gu@|u#-L4JPvWK4w$m?Acj0dGv7RfM5 zITtV;F~-!;f&v4Pvg)WuoU-O0LIKgBr*1AvuMQr{$VMR5BS7Y1?aAKmy>T<0cGqHU zyy9|dFGs&x`G91Xrqwx&9xDwnS@cG|dw>IEXNPBOLdB1I5-sl`AIPP2Oniz@Z}mFX z&?EBBq|wQ4aH6^4@Es+uGs*#9hU$j)@$=u)drEjNgPCXbw*0<(!$6ShzZhqe|12( zRvY4b7^KH?0(lZTi$Oz4KhkUU!;_vU@8B6(;WD%%RDu!kJk$geO58kWH z`CS*GR0FZH1jirX0O7&>Qtj48i7F&@_K7P(mGGXTT7Pr!TVioET$frw%WgCJ$taIz z@@)lce4rJ+iJzMY|7b$dbq@RT)|qlc3xNcN zr133M;CCDLqj-AGRdp-M=2jxZb%jv<)1Pe^28=uc73FVV7vVfnKjP6%O3AdZYb7wZ zx>xksxq}wc9K$fK#2Eh7UTXs(8thuUsUe{hx0awtLbStTDVrH+-|?lcVh9Jct1jMf zyfX(vF4?=Gju1Z@zl?HwORYu650k_9ntt(`b#=%R{IC)<+LZKcM<1NH_KW3X{ISpb z&Fre{Ue2l=7k>kr-&z98&+V7~I()RBaNQ}*oh=Ju4L9!<6XHiE-n2?^ll)+bEE{yRHpz>M|p@vt!2Cr5tI8d3sxleA0`3*JH)|%2l?OsQWmjs4WsUiX{0T|9?^ z93^;~;+-T`s%7rDe+dW38~)lK9d2DTx!=x_<&d9PRmOa|L++%+j1JP3zTk{r!w2-N z5=$QlR#8m=+k`)Ku$^YnjD1M2RdpPK)|O(z0m~9gG3aCH89W1?)rkYx=U5={FF2sT z;UGNz^{ih-W81%`s<-&}#Yku8p_K{!{{!FJqh&xS(bRVy()_x-SSaSZR1f(@_} zwxbL?iVyo0vI8JQLsR|g&JE;Fy@=btM$r>rc;#OIt}Ysq*W+nhp|g}bN1N-x@E|~3RA}@%p;2RFzaT@ynP_XSXUIbaJP2!!A(ypezTP8pcK5HS|yh% z;l~KW6}^ew7F`WU!$|6!pRNO3Jw?x8bjMj*B6G53C9gu|@h_dI+)s1^L5W7{!y;rA zJ?Zv?ArbAP$wZ-4vA-_FMGQ%E%13Wq&n?C(OT_VOcAfNj5Oy3Gb`xE9f>Ko_(^~n9 zO11rLJUNk3KU<9}A4|Xb{BCF5JLmfPDcvbE*)T~FsfF9UZ+9I}d33#|-EYds`;A3e z%KsS5eJeGlG17M1Bu|{A?6l9QU-Lr$5Pr_e0?zi zJU+|p7Uaplpf+4^BKU;^zRNhM8dME8Sa8HYu6v8v91MhZ)tZCSn83UOTW5#S7?~gG zeKU)Oauh#WtA?0ZR_g>9QBQ3t97T${Wy-&Hf8o5Z@@CnEnB;3971{cB1%q;>A-QKD zHq~y;a~uckca%n2n$H)QX^xjVuGN~aDA+kIDgv>!F$?;VI3UboWXbVS3mUPf7Tf&3 z^Nxvo9HD@PAP(3p2w-0bL0+CN@fmJ4zq0UE>l(i@dFDq&UmPG&tR}BsJG_@$UiYE% zf#X}!tzDTYuKk_N4W)~0-2z`bPe;DtnG*D-2k5^t6B-Sn)HC{V!0cQ$NP%8A@8fTj zkoIuU%te&tMZpRVuno)rSNcM{`w(JFQ(pEf)+j%5_Wk}uhLR~$qukHD3_UC$#;GgHv1Td(>`uUXp-Yc8RgsUt=70$uIZ|^$5qz7~Xo&t{NUC7Q2Z9oEH4S^;ohsMzQZ3@F9~H z+McUUCR?%4T%&p!rDFc$){nT=X3dOt_4<^t-exSnh8>MXR3{sU^35(zHPu1_z?SC{t5C< zQBFhX_(s(eZxxnczuH}8nG5t7EHster~D^!Gx=w#SL);2)I+a*7VB^TO3w>CorXQn z+g_XQv-Wk1j0lbCW>G9z4Ae7Fh}c|mtYayr<9-Z!y@eWa4p1qyH?+_XY(4bfza|IEFcWin2hS~R_)DDLwXPxkk{~+u*!@4}i8r!QvUAFf=T9ka zy46#!4lt9T^{j(QFFQWt=jq))y!TX49ycUA@Z=bwM0eu@7Gt{47oJ@=qLK<_-}w&3Z^y;ip;Qr#1AD?2YPwl+f|? z;re_So<7vAcJy^haw*ok=Vtvdm^vs2+EGy?);cUF7V1&p=y<(Uv$PF;Z5EVQu|2auM=UL>zVY%U@|-_M}_za~U&=A3x7^8WxW{9hLZ7>qQVs)vuJ zN*?W;7$Mq5p3Fw%a2+vN*EX^E1f93Dfv$_>_IeE(Pb&&=S|0iWyDx%?7&!@oJIDrd z0lBXMa>F93e2lwH&K!}twQ=KM5r(H%GA*<;>sPqUJA@Gh69GE=CpllI=30`onRi#J z2(nFjR@$uWNU2UmDVJX!h?hciQ09vyBO*n-toF>Qo4c$}`WLrOommIZtnP8BWeR!R z^xTx_vz^3<)QkkY@Vvo0!9KD$j2*BK@qXZKswKZl&tYfAFS6G?Ku<7)a_`X1;QXXO z4J|OdR((yQa+*NbHoRlS%0eodnns3K{u!LlQ%3vw$b7U_^3xRdPc;Pk-$`z`JX2)y z>=fzt5&kJz`eyOksFPx%rPKIVWS1?up|yE8JY!WSk-<_2%>ChQke1Q|f+0wYQr2Fb`c8?IXPy}E$(LT~rM0z{wP@RF zO>LywUsy|JCF!@^Pm8h~`{v|jRT03VWXbMCC#P&00^V{ugS*Lv~G6i(fP z@%#Drzt9S~_doMlFO??nLR|D=Krf;tM0#Z8fG(?0rnf@-4WiyJJl66vspDH`1%?__ zEviNJT#FLy*boM^YF9#eYexl}mtZydI}MJRCUdh>?fFxmUX?7>B%Kb#Y%iFkJe;d% zzD(^Non2!D3h`^T^FliwkEb}YmP8%b85@uYJ%KZypJ^VH2Kt^9aW%7XdN#Np#_W#b$IIUL2<{PZTG!eCLump zm;j0p2XHphpwH9JB96)b(|?us<)Z%ldgr-z4|ece8e)Hd-Ak)*?yTA#`_;F9n|ODc5yInqBOPQ^C-1UR@B|OU7!HQN zz>?Pb-SUmbMjQ^$3OGH>1#RGfw&6%9Q|s`-U6L#vY<5gZ)7hy&J(kq0>*zY~TeGXE z)RD+^A&CS}?mRGRgX5^E3QBt~<(>Cxurt-oIH>4p!BJ!5R-m^ znpjY$?o~4Br=MR8SG$jJ!|?RkyK-YZ$^8y`ibpshp#3BV=n-u^_RMS_20r%+J7{Xf z;1mAsCpe(D33MRi6>%VdQWY6Mld9l=02oRW2as9U;s7}^@LnQ5fdp6ELU=LYUT_&N z4iLgXx{eXNT}=!3;NW$3u8V`F1trYw)U^vDPQ3HzVYsm~Ss2(p4!DnPgJF7*IDi9g z`-dl$^Ka+WdVZzpP@oeNW0KvFI@fMEV%!FUuxriJRr)fc^$MnX?|isly3HoZR55*3 zch}WoU%RE^>qwJ@J$H8fv-|kk%HKi5(RPbf;kg+)(IU&`RRG4;3Gt0HyVhuqZNqC@ zYwUJ?P_V_0S??iQ*WIVS?V1^K?aMuTKW0ME=)4|hS%r3m$y`$Qs*<-UXkp-t2Sg9v z!e`fsUc{#z+K`^M`)l8HmX1WiNkS@BO_Vf8*?qM3w6v1lh$Rx(IzP~~(l=J2wUcLX z0FmAS9|oVU#F>#?1omOt{X%?A-+bL_yfUH)&1ok$C@OznO}u=(QhVWG9$;CDzyY1R z(WN;BAB3&#yGL0M%TRG_UETdI zD+%K2Jj3+oK2lK+I`JH5KHk;-lz8I#6cwUb=HcAR3I{3g@{sH*^I&p%Cix?lAckC> zBWN|mQXdD{`$7;Po0uI_vzbG$DAdVJYVGev-9I4GV_0sYYZRPDU2P{+j!}$28qRQC zd9Xq{t=w@RQjdlg7#Lp^4l_p!turlsRnDaNdx8YF416a4@g3y27b2`*S-I$ZMvCX` zj5`lSBF&)IO?!zl>fTfs?hsXHSH9vF{ZBMGUvdQ-6@ ztTbrEm#V>a0E{{Q$W1vH-i@(e0qC_klf-o%e7|+~MP^wu=VyXr&et-1vVY3u#m%nG z&6sT6w{;mf@!`~X>AV-8K~v2tm0FgIvLBwl8x8D&SH1*u?Qio6bSBkf*M^a3XJW^bW$zMB!vFm(ry_%?BZPR#i=5fqXnrFxM3H*MwnD3n` zqE=t_mQirkp?bz0R5X5mIY*N;-uu=hEIZNz~8nU}~sz5x< zfw}b^ydZ)PD)==ccy^x|j7oLznR=)h>(jT*4%y_vR?45jXWy=mIgqARYBmfymM-z$ zQ@OcQ-7@MRjNJ$%`s07fH&r3{29`WtW|b2rc_&j)?%Z^%0onwTJN4@_oJ z=dTe;lm^wQQz>vFbn97^hn2@S88lwT#}Deg3DzsFXpA|qsg3l?KCYTeWxi<2g$!0Z z-~fm^O7r(`be&J`l;8_S^>Y{!$bR9yT>YX;q<9LrFzHT15NGm5T~pVmg>}^hM;tIU zfa!zLPE2*4m?*Z$Bzec~>X5Lrxb$EHx31KwkwzIQHw;b(^UDs|LHDAIP%&G^lSEfY zf3g<33O*aNtZ0%gIzF;mSRUI@^}(8edzSG7%$=3!Bc!vn#qnaF2Nxurcj(#DxsksB%)MWqcx+JMI+(?QtrRZ$#ZLka#= z6e>)^(6fIg@?ur#S(PBoLf%E3z-~laOy_lqnA8n?#li0m_Vox3_$$|*+tLB22d;Z7 z)|S7=qqltMv#2^s-KQB6gE>Scy>b5c)CN{BYd{zI-XfiCT=6S~9LT{XkIQO&_C(IY zgakHCnJRv0y$n%>1o}Al*Otf{HBtCPu!0AK5XN)|Y?I<7tkDq3a(<9&ysrwmg`*jt5jDn7J+fE zcD~-ZP_%Q&K_zN$BE!;+iDMT*EgCHx)4ck_OStaYRcjRj<)3Q+s7=pk{=!aVkJ1jE z8jFp;q}&XuYjXn=#-jAPP5GN@k+7)a3)8WuWyHR3SWA{#3h;@|qd}4hQ_y%Ok~-MD za4M>7ra7KyCNAyuZIxq^n3gi^O`pZ7W?4{-PEDml&b=)nmzv6A zos#AfP1vPO4Or$uE1uy~+Zbm|QT#=Y=UgQ!{^<~hi`Fl~2d_a(ANOg7bU-Kuz@Mgd z4g_iO|7yHRk^AGFpxW}+v+5LTA;`NIlriw(JS415jikA%5b=5Y)UCkQk^St8>sHKy z@rRe^OX8&t%}DuqNGP4jOzBufxkK$Jn<`xc49>|HaOOx{h6H!IsXS=f5Q}5Jlknla zB@+v^I3Yld3A7~~f`RSSo|iIBtTVd)geIu-N?A^SAYTvQJAZ6f7lJTEg{fovXI=O$ z+&S@Fw5=tN%vnhk;etTu_N(mhihTZbJt~o5GUfr8G)=QEO*EEt!o)7#be%RZ4oiRU zn-aD(z`dIF(+Nk6nFfK|)Y7Jj&oGE4FD#*xKeOu5hV#Mwmy-WZpY@uIL9hn~V5!ok(Tm4jCK!pie8uD|v}xi1Dgiqj@CdJ5Krw+)5nH!W5(`vo)?uWe z<6(6yPeb+Mc+3KbWJ)1-qwaal*e>zG&zXkz7cS3){3y?%Pk^mgO}1Y~oio2z?5Fou zU#*E2AK$k6bc7{8f?oG&#nR#cl0MiCn#u}A5mBsHzrov!oxHDsyj?*QD5{-UX$1(` zHDP`}hNic|V~u&$)#LS$sG&0mnRDlbNH7ji^jMkG0hGM9y{LwqxU26SJ`h8Ww76*KI-wlGTnN@M8*A3o&p-HT~0R*4H_k| zm^w*nxJI~RdgD#jfb8>bN|MDd*H6?*eC8C9jfp2SJeIZh@4S7+84_a+${?MGQ!V0v zV1#Hv<}}2{Zv4a>ndQTVxS#SuT#JN=EpZ7-f{_D5jKgFaPH7GEeYF6JcU{vHoF2?v6FR1BNZqi-B5=ie z-3KvcVgsFpk&6}Sm^KaKcD!JKB`>^bnH_ZD4(c7}bM#5WKBB|(_JWu`3;5b3?0iLC zd!`ja&W^{!8BY3T;te0p;jRR|sz;@4Jy_W#G~Cq@n;VpP@>vFpXXfz^$?40qw+MS= z$esOT)2h^0mxP`UhQ_Mi+@;jMx%8oZM?G{-Z>Ta# zvSU_8U%|@V(P>3@QF-N^V%8ivk(??cmlRY&nmQv(0q{+H2UnEv6u;IsB!<|Tp6E|5 zwWu^uTsrUF^CG!dltB!Lb5<6Mm>8a*(T~UH@7m>yrQ;i@qsOvorWzZ;t0)6 z7>AS?wHka-ts;<}P*>Sp9bs92>Uhxf@o}M;Wg-a?$pM-9Mkl%3Cm6a=Zm0cpN(*W$%Pk@mgoo zQ}C64O3O>kF8AWnN3Re3)V%q%RwMX0%$LVwcTA*X`R`8k=ynwwxnY3suAf_ z&mC=nL}>j`K;P`7$c&xXH9bF(sJ`RsN!Xq0Xcav9lA*^L>)=68eWq1SY+H{@qaDEd^X+n?=_ew}*ADKjC51|hTWvMh6UO&W-VPg+<=`_F zA5s4CJECVQh#|V>vt+L5@d!LCRjWGi-j6tWu{J=e=o!LuLdVCdmcSxi-&3!jqF zTya6Dmcm}oh*Vx;SLR$AUCLY1TikCC1~%*n?=q7($uT4^&QZ?HZc+I=t!rrz5{n}q zcCNI`o0o2}u|(bcQF*SA3KVXQDZw!g{cAd#D$l*Xy<45vX;a zXVcCBqa;F|ycj5;+tMnoqK^5VyyDyn-!J(L&w8e_a$}^jAyNtI)5s}_jknJE5DI?O z4B4*4FO8@oFb2Qp&te0A7`UlCub|bLd8Ps?((|>@naa{4<+vGr+!td1oTsN`=k%8D z_MZqZxxcd%0Pxd`@kz!iO5p(XrbA^pDstgGhR)O{Xmfr8T~g5@aO;q4HD=-EtNBnO zTHy>oJ%+!X{96p8H`^z7oNkAFdhu!ELj+7Apd~)CPBu38wzYlxqMC(-mio?(P(<^N z4JXKgXD-4q$N!UvgE=-TpDP8sg@;3U7-c+`4sN|aBY>Zzw%iu6E$J1Oj2V!JIdzZLOo+ZmOB7H{T$P4nmzQv2jD+i zrNKt>bdbQ*KR>@36+yOO^ALiZhKQ6nQ(+$C@n*Qw%Wo0O2>VzmC4Q*)yF}wFq$~@y zBv~TqOAP1W2#=!DH{ZTo+<;z?*C6X23GZ-r$BvhLaBHKMXn$Ta=(skJLg@x+e2oJn zhsqrX`3y>{;)fF4X%>v`Y}t^^zlQMqG6K=aoRz7U-}vaY{c~$0Bju!Y`v`WgZa*W} zCSPi*>mA2lc=uYVl2c`CL}VCmo|M#pMe}I6Wm`am#suY*U4ge5kh#T zdpY^T?$Ii(gV!@DvK&?jb=W>Q#Ir64W?rb&*uTPgtl`qSDH$;yVtCanB!0(1@M~!2 z*INhE@T>OO5Z1YG=Vew(qvnt-n1T#%pR}MiQQgjV+>@f)ZD}8`o_<#mzu*y6^EcEC z+&g8L8Cu_`e4K;G{n~kYS+f4gzd!op?jK0y$^&FrXi+v#BF1-Me8c?=5i8M8yJ*b^ zM%_{4iGNXaVpxJyD2ANOks$1mUtf-t-d|(oh$n|2=b`ETw=I2O3hJ~dJ?&v*0rd0w zj@&w4x`XO@7YI3Uh68@eN??DXxE61iJ)kI38#MZGK!mv@^HT`al7|8<*upBJOwqf1 zL$ic0Go#Cv)-co$@ehB1e-IwHq-xv#@fxx607z(=@&^ z;B_C66&9QKb)^D6I1w$mQ|GYwWwa5t^AQm)VlGW#WpF@sGM;(%-eJLKH=@wrkoyrV zJm8k9&)g$x&iDeOICaP@UtrPYHqlgv>1pLM`776AC+2zH#Hj(+K6CBkvSj;X9VK4R zKT{>`uMykPD1ds=fWvAN5h@4=Eb2u$dG^_+lq5NeZoF^CGt{Ai>w?iz1ksCy7)4|o zlos>iQ|-BE41O>)Iz7s^S&a=d{%ivW$d6&9KAj75p&tH@l2m?|qZw8{2w6?lvj}L} z5{^BnXQ&Q$$pr2LOqXh)(V5T?$!LN_ePKLJ!dNkns+?D`ie_q%qfp*v(2>8RB294W zpx$XnhXlX%G+`H9HGUXSoFU!L9*=**3O8X}la21BLsR1eg<3)^R&QwQR3X51f2)IP z9>myny5D_bAbfe+Jjmnb{=;LE>aPwPs*ngQanhhVo_c3ZEhYK2lGwBtCydr0;W$_N z#zrubES;`N3Oe~^hAf6oPJ_0o9xugI9pl}W&lSSl$caF~HLFIB-uC4hTxro&`)WsX z*eeswe}=U2*g?pF76-nTMcQ=41@l5V zU&k-hpvz)`^vcfR0EH4Cy&baO=kupAp?Do1hppKObu|tca(Kw<59maoI))yDn6e(v z-)W=|lpTsVmp&3fCYT)<#A7?~DRC}6!O89LzPbyZF$+`s$Q&O(hl8}b`%9(aZHWx|904tw8H+L%BVEh*XGLxA~1J*VJkv&U3|^ z_|*|d6)(Q@vS5dwgbzD9u^0H|{0yd%$nz&c8`n+qBcbKJgSBkYLc*xLEmJb%_-6A$ zm3|ksa@+Cz#CR!Zl%XG<0!5bLfF``UryUPwDb&sIS)(ZUbfXDXxM-V??Q4MyRG!jo zF+fr>(idRwQ^&K4NOPlyo@>-hGLvwymF$@Y+bxxtd9_rv5#TF+11R`=lrUC44_i}x z$gsf(-BLfVoC|Fo&Sf)nRRMuhEsA&$D%)OW`=9NbrmOI7LxUQ^dud0}MUV6OJPwF* z*U{7C^k>t9yMp@r=N=)S?`9Q{^6SzuYXvFXTstgnH*#BTsBUdKxTb!p<`)3oO!}4| zmlW2NG@AZIdc@nCv-pQ-dos^3oT82hIW+VM;aAg{SM#-R&!Z;(tog)fMDP+_Eo~%oMprp_^4to&nMjin_GdB%n0wjboS!P+=y22OQ$F3+eC{brOk&Q z^~uh>sHh4%)x68etzF+FV)j$mc_@o{#rrO%&%^H>*mh)>y(6G&5+WF}h#?e1bCzWk z@k1_=psp`L>mws~Q_m~83TB5MZYX%s3ohv~nWw_|-aY%`$l!z@OP*k2Lt{ao!4|x} zFy_sfNAajSy{!!+9PAJRdHc)<&89T(FxW+$okTjR@`5+XN7C_7X(n*|?TS*&v{|Qr zv5E2KM{zqvX3O~;N^0z<5;H0$&%0K`&Y9QhUR*44ZhibfL&92@!J|$w#dpzn)SDU3 z$<%eqg^t+SsYrPDHj`kTm^b)xXhN;Sp=Y2-(3f^k9)Y*g_kPiw{C4f=oA!f!jIgiq z!)IL=9hF00xt-*W7j6FUjrajZDi+eTPH2fQO@w&RYmk8dVhiX$cGZ(p0RI1YtnX6@ zVTHpS{p^KOYxf-=;Hi@YdbWRL*vMADo>J5S;0K z&q!RFy^UW~5sd?|b*cM@bMu|>Bb&-N$aPa_L84xTqr|a^E`>-J^`sZ5B_|HTlVie{ zj8O^TlR=(29aH`!DeRCvgh1`jwq-;lX3faQ(2$=Kr)5`NLvree@IkJ5I#Lrp;gc#g zB~5y-E1HOvT!1K$2AmGoH`{imHQF2pA@^J(KdH+N%$mUuMEdnqxiIeq17UlCUoK+c z&d4BE$o1KD16}RLty%SQv$eB{7LOd2mZ<=NKJeBdFDkoV95#%dfMlEHL79)Z_Gkvq z#+_0icTx)Ed_nqYoPNTH32=1UeS;Pe{^!fQ5f< z4nZ55))2LYpLO(v3RrVtXRvq-d8^7no!hJ=B>p_CEo)W5JnG{v`x! ztSplJ@Dq4xQQ)-m5cYBeyfo=B)fL2yY0~caGun|C!_qoaKn98N(+W9wfq1|A0(b@4 z8^lj)Xu_ZW%5n1lWsH{2YlY$+T;`dYnVCmZW1RN=w+wKY(pAmGq4{b<6Q2TKR207)U*Y}rhqqwk zG$CIPJ^Xd|R=B|$f<|LQWbO*8H7(gbbp86|NfDXCrFb^nk{elcce7ZC$}M@8QhDXD z*eVX8;U*gQ5bX_0_f80r+vL4oad*rVU6cCsuxb>ene+2jzwR!O$3G{ixs^e)mbzl@ zFHlzZ^m|FOMfa^2(dndpevn9AacMDsZh$pQY4IVpGIAlEk89YmCp%8gNzpIf)XJD6 z-Babs2JaTk=*oDN07~F_-H#E`nIx~Mlj5kcWWqx+f`{J_7Oiii#;OCQd2e`*M z&V0ox#uuSTzQh6h1(_EyTUdLOvv2)r zoUR{!dDSjMSM5t2un|8&eso26{3AE(WdLxESZwgz-%>)Be7~r=lC1gmR&8YX)hU?{ z|LZ&XTMt2kbJzjIXJI;3uGrJHm%tRYvIO?nepThHAXg{@o=4wJ;_B_A6<;r(!5pL~* z+jsdiO*=%Rfg2@;nUtEwt3Uq_Y!9(gcm=OB9V%!~wGLFDe*XqD_l!J^i;KguiKR;Y z;ITuxC|W3)RzjCGCX21jjd$m2pKoVdQ<$Jn>4d4lc9>3xOSIAz*r^ekZIlWmJfvI6 zDtfB?!(ZkRLe>A>dDqf0Th8=zLt+nEO1wB_0|%7y;e|a4dFT=Bj&D;icv%v%6^WM` z$J${la6rA$@Wk2l6l(6)4!x!kn?%XN+!;mQ`PUz^G{>q(u>1Ran2?c+5mP7$Iv1@c zV)ht?kBgX?)8Q`j&^Td*zdL;U1?oDBesbqr0(6jO!(?K^7#6&6aFk{q zU1)TOmysE6Zr+bw$-2D!<`urU>_PeaTFC#Y{|`tf5-aM-L}Z>(h@-nExXyEGF@>k$ zu%(7E>9ha}RR!8dBu}aHkl^7;4BuB1i20m7qcYophU3E7>k0AcNj$UBQjUjjWN^sZ zBzO;BwTbejpfWHYerL2gHtDh6WL9%*dMmPYdO4Xt()5Sf#_6XMMlE}>eM5!Q6_-pj z_1ZqmcyjojB~;T$$`TuHk?~l5G^PP^6;t$V>RHYHSEz6PY+>#aEY?2j&CQIG&P+T) zgLCMQMrNr_b{lGqq4|=xPOp!|mFOY3d^#02Pa%1;Mk4~tBO=@a9Opx#%Ezpoi^6&h zYJZ)Dkf3!%JkT%I7C|(!3H53_X}(oc(PHdip|xX7frjZgb&Lrd_WaN+Lca9k^O#c_ z_*u*{4j}I318dX_?=fzUwfxGAR+J+tV;D8q5|iu?FD^kme5|{W{PM+%)$*p_UlH5M zb#F9(Sc%M$-SuuK24xpF_Z<^`L;XU>4o!Pe@7XEgw5!@wns*iQc#9kZhq~}A+Fyt~ zOvOkr0SZ_Y)^j`62IJ4?$4t`-PTq7``$se%#W7b~*HBIug2T7wlJU25lcFnV$mRi8 zPL^4(MfMlp%%vGZ2?$|dlTx_*DTTlmbju{rh3!%rojQTIRlN9K7ihs`e?$L8ZeLjN z0Vaes1TW#qH^+w-lDo)D&H}AHAk1;P-aY``&rS~uDS?iLTpz|SkpJ64z5kvV@4xbNJ$8*&;-m;*wLxWmhqo>1>y7ir$so@O^wn# z+2T8*Qj{RG{a@{UWl)^m)@9?t2?5fOFLHLb}yW$lz4^4z015S%e)F?qC!d}G2CulakK|Thxgz2+( ztebD+c&BAt>n4T_@O3$;%O)ZF9i)}5A^NJgm_{w?SEXy|82EGX{Q700s~{Xr*nPt& z7D%n*s*c8nY6`RIUn$)c$t6nH?tL3_ERwLenh@$c&0DYlZy&CNjW-X0-?!=b^-^gf zNwrcycUR!4PqDHcGnG_<7N-aIHX!-yzX25&1pCRVQQnm1Jb7v`c6~9#>jaNe613-nH8Qgbv)LO6*_^PUKMzoCFAiJ>+dnl zt>lh6N@k{T+s@i-I-=sz}xBWL|^T9P1dDm2&;Od7r zH#gvwcW3K&>H~Ke8xx@0PvDQYtH|Z{4}UsJ-lgl1DB8IwviBP7RSFoPSDzBL+HYbd z>7uWuKWsKc+I@okBKfC$vwRQ}`uwb(#u7+;YdA}lG;{kDre7?w)Som`R&^sY+i*#LD%7>jsX@72-n!38h7y z{1Q9x=Gd{C+QLVe)Bfm*!z-PVCoy?Ja9LNu*l8)TAJ8XHSpCaBc{WEfGMM_Ywi@ZT z6^9h%vu6TIxC)biTCv<@Q`LVf4*sMa{{~MF-G?74tGxE{8@RY4nW(e|q<9F$B|j~5Y0kAsjKmTVoz!~}!R<1zL^PawzZM z>dfln(d*ST+7rL(+xx(?4LeLytaEE+_0yGlf?9rrF^pAsPqlO6D%zY9H%t; zZ20AD-Y|gb^+&-zwC&g~58VXoW>eBc1cAQo5zr-*9czky?cO#FpEcS#`Khr}m*9%k zicg=CvG-j`vFsW#E}gQ!wD>{LOf1EN@{#)IajP4V`egnXvBvYl=IcCmc2FO}(u&*J zW%iu*BdBkyn4oAO? z!cuPu5k!Ju`KR?L`bdY@-zuMIiB6d!<)0q%P=J8*9?>CKCoWRI#w0axZ~v9x^Jk4t z$4t3bldiMe+2Rzd8SI?A+(G{rAVK`BOy`U5sdeJ#cxI9F2c2i(iF=69P3IC%nwp+4 zH%g@&cC12dK5R1Cjr%IbF?l7%4)lx-(asINzwF3$niJSrBlA;AQ;zEKIPp>w#89!y zTh!N@5&riAWJ`BN#wi;z=Cx$lkht`6KRDh};>_FGc;t9L8UWDeN%x9Wr&hAY0Fwc2 zQIrrhJhr7!Exlw%k+jiMcm-{|Lo#%~#TRz_iOtv;PIad^QT;4R>y?<&{8ddigISuThT=0E? z;-=1j$l%ODlFMn7-u>9}A&%Sl2(ME2P!37NKa>mqoASZ)bFTf7iAlv~j}fGHsbny< zC#vZxE10_7Ac*>!^oFTL;p|oFZT1;^(8yNcA(z?L?7*f9}Kl6!U^D>OMcYGkBiQI#QYsSqWVPNxUC%Bg0~yBpuJZsDkX!UbB6);imSjAQmTRW zmUNj*#fLbJMa)y`kK@XaUtp!oY}+!mWcoJ)c5HY|=)xQyQc-L-kH`wjw8wUTPc5=s zClu{ed!T>{@mME(6DQcDffxAPZ}eTXaB96HPQ<9{Y2Vb>a&ks{3qp)UuXOa71UD=I z&`ea95jOMlpsLKF1B5ncHG|pdJwX(S?PRfI)qZL_e=+0TFn_rJ zK%+qrWsGVWfhN>zD!5o`QWvF%sHbN{x#h>9(51y1k4mqPsw7KAdq_PZefaom0S~wN z-Q5Zw7_}{3Gl-}6-0g79+37N!xtf?a*Bw0o!C;6x{jn|1dvbQR@G)hKaW+PxqoaqK zMm$gbczD25xrkOLTSC`&*Ybe}&`V3YcPY)|hJar%u8%E8(!b~l5OWE0;=E5-qn+2W z2*~Z_dW}3WGNbathVj?AvIJlCr}agb3Ew7FC#5+mQYvq$RFm~Ykt^W0dSbRl(g!awvaA{}b;^pUqP$&&I9HP2YqAuOSSF5+C7S*Fm81F@~l@%K0Kp5{e)#tYrj z6VtrCaWX4Rqi)5MaaNb_KpAMiMxqVCYhlXa?^#Tp?MD=I4@X>S)wk0%X{|0l(1v={ zzOxRxw{#EkvY%9J_y25uQ7Q4$q1v}Qm!4^+qn~@DqA&lygw!XSb%Ii7PNV%Osgs0BOdRpwZ{Q=ySykn`L{eHbk+5R*y8 zQhbnr|NK_S^2qt~E~a1sX>I$jM*hL%NAVkqi!xAWEbPY&{^I*F4x8I=eo0VYMBe@j4sUtDU_B!ZOoR}Kjz z80fIr5M8g!FJH9O{)=qS=^QFU_rNFqIE=0p`Y9qcU6XM?eIj%0db7H=brtu{#Be{b^LjUMB4 zOYVK(Y;W#@DUqc&+`S?A%$9Q@k5*$TMc-dsV;Q!&;Wa@L-C-}8-&=kckd2H99H5;u z>FmX?tZ;e4G*Ov0%Co%70aeajmlI5w#97jYYm{I13viXyOqJJvtzxN1=;ybkEE)4L zA0`59vohFM+-J^(4bjXAwQT6T$XtPywHHQ#&oe#A6efPokT`q-TsL+slJfx@uFkrJ zomgK}12~>MS9v5^6gon;L@tjdPIC-O8($E;Uf)8 z>aQ7&=t3_`hgf{}G(wN;7v2iOcIy$JQu(~CHPjB))XXuHf8nm+R0X$O+z7+oVLWj*cK{h zteoYLh)X$_KDUauhaN)VP{`Vv_^IkR~k>^`KIdhsqg7_+BF%IE7EgJ5cJ0QI@t0Ph_X3 z(r;7qpXPc#StvI=(+^t`{TQJTUCX!qh!Yw=jz>R(G5+l$QQMV_4y5LYZCS#S0=G+( zfjQHAD3UZgz+nIC-IYAG!?4vyEI+~@587;jLE z-&=IvM;YwEb=O2sKxADdHH}G2d}5LY5rO!0yEN^X{cFq5!kBAQ*X_bb%Qef3qmY?8 zunb&rwwNMmzZ@bSBg5AA3(v~kiJ=XSh}H6fP#EH4^S$f3*_x*NF+km-NMXkcVW-s^ zyN+2;5N8>(zPGf5ji5Ylnk7|+z6i6RvFYdjjFvBSd0n;H$TuL;>xffPi%(?VYDjDV z$n^e(Wwj~C4)pUZA+8S3Zf=;bAcT>eKWZf_a1`L)q8BYp^XJE5uBG9ZUSl)A_EapI%STA;hl@+Oku;vkF4KpMVmnRfL%$cS1Xy3^(*&B zy~^_J9q&haA^9I^YlY!-Yg-KR$H2ZQ{$h@w%XBT+IrH&EA@vQrJ;8#i6r5FT!6~7M z7ZW%w|I<_{!2oII2fnt-@VUwI{pB$#*w+Xmb`5jV3HJ-#r2ovg=I`ibe-o|zzj{)p zyXWj6^d5{05gD$qXFjVWH)$gtB$-=}Q2@Q^v;WrxlN4SCZ0T~-n=SQ5lJ6R$3mP>; z36mbl{*nr!d|mv#W}GCvsLvaUNXB=j9`Pt*`okvJ^}BI61yH`!n5y45#lS5vcl5s} z`PPT897b9Ryq|`64$w@0K2=Hnm35js-^e&H(-en^KHC$t`Ca0*)~=yQa(RFJZkluE zF~o-nB~u&zG>1=27zzW7C(2H4HXs@jm1_L`EmN2ry*Tdw23T1VUT9@LP;v}!k}!!+ zWjfZCcS(Qi+u!A$*~DyF$azbF0SSDl+#I90J}1 zBfkoE%~vC4_)$u(ccg42i9o4)*NU6iT7{+zg^QO7=h*||xl~&zh&+dqnXcA$nOSW6 z;avHEGq!+Kygap3%JOgyRae*0VQ8NU`rDc(y~+lqK2!*d`3Cf-kHB%Pm%p-9D=dqP zOZy3RE?n8dhYcLnJ%a?4 zzmU^^rhMsU64z5r+MkuUVnsfVG}owU5+}+7;xQjfJ8V*5yx5Vj@AN+@TBI2;iFV(p zN*ReVYZQP;YN_V!B$EMIr=2$5_Ex7X<8W=33|HRkpYX%VDXZ7OQ3>Qyt8Ys?UhJ8p zDftbU8>RiT$5TVl0!`F^LQ*yMiQ;u}@*ZV6So9$;Xx~nBKHhIife^5Pm^0`x@ZOk2 zQ(z2T=;^2Z254qs&;AB9@=#52q-|R~NfM+YW*7u~$5;%qKJcR)&fc5Mdm7Mrp&m5l zjz(63e9{N5O(EbF8m`&m98yu+pU2A%?|KP4d*wAeoyyS2Yy=wfZbFky`Vclt`eNcQU+8@#E+MtNhx?CZQ``%!pV)3 zgpUqj%4s&p>KB#Gf`{Vkpo16^j+Sj$759w=9C{V`OyycduRd{DV~0cL3q?tM2bvHw z%nqWB^ZYKPftUJujVI{a^Xle6r30(Zsi1jKLz{0SlRjm>MyUX%@)vn4YdqO_LqqJz zCHrL|IFI_ZvY-djw5CTQhroTB5u?vXTLUlIZt;14Al%S1FIfFc7y0{8g)-hk;_W-E*Mbjz^+}(wn=F#eEgAnSeP5J7F^k$sl)>y1kwU{0c7%ODp zSG7wjzGp2ng2p>nZcUsgig#M7j48MPQbF^VA=oK4j4rJ0G#WEJUaf4cZOJ2{_ptZ5 zm6*{(5fhXc0k}%S86Dh{i!)2F|g+ z5%z3cPV2dDcXxL`326bqjcU@N@i)MxVRG+D$FvKtvXKLom=QiT2cKp0Vi_Z^-1;`N zh#J4HmZ}<&x>*OK^HZwYgbfq!eSUY2lSZz9JrPSc4Q+HgRcby@$6p2M|9vB2QS}FH z6(L=|`6R4*dm@Y-E3EOutCWN$V22t8*EDtZzNHYLSQud&UF8sD{6q|$0S>8*rKDIO&oW!0C3fqAv3HF zeH{jrp~=uWMA<|YYZuTjuT-QEG-{@6Pk7~8V^G5e?QNAXj!kVN`zniv zL-aksNX;&=$dZj}my7s!u7*z`V(FQ9S`38K3fF=o&@5A=ueG*2^%o#xK=CpeMk|Qf zR%)wmb;4WUb!*1iD_WKZzBT1;ANV>Er98BS#{@|Vp)ujBU=^SNjz5h?E6I8;e6)Of z7h~UbEY}KOE7-Vz7;F-Z;PK2ntyt_b%c<4_SZU#HENc`JBTUKuN6^MS8x5!P7h{+V zO4`S6`ee=PMTL_x^qz$mYW|M5yocA+>w}0{>>ipo_8k;_5|1dE2&tnt@d;GuLTln- zza0Mlmisrr(Eoat_ODn+|Fbp!C9S3ZS#RjS{Llp~rib&4la_>qJHf7UWHQMyaZa>W zq94)qxsUz8i`i6`+2^yRebzQ}d*CT6$40%V-+<~41JaA6vKb8=;O4CA?9_<0P2( ["wazuh.indexer:9200"] + user => "${INDEXER_USERNAME}" + password => "${INDEXER_PASSWORD}" + ssl => true + ca_file => "/usr/share/logstash/root-ca.pem" + index => "wazuh-alerts-4.x-*" + query => '{ + "query": { + "range": { + "@timestamp": { + "gt": "now-1m" + } + } + } + }' + schedule => "* * * * *" + } +} + + +output { + stdout { + id => "output.stdout" + codec => json_lines + } + file { + id => "output.file" + path => "/var/log/logstash/indexer-to-file-%{+YYYY-MM-dd-HH}.log" + file_mode => 0644 + codec => json_lines + } +} diff --git a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-s3.conf b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-s3.conf new file mode 100644 index 0000000000000..f1acee7b5c45c --- /dev/null +++ b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-s3.conf @@ -0,0 +1,53 @@ +input { + opensearch { + hosts => ["wazuh.indexer:9200"] + user => "${INDEXER_USERNAME}" + password => "${INDEXER_PASSWORD}" + ssl => true + ca_file => "/usr/share/logstash/root-ca.pem" + index => "wazuh-alerts-4.x-*" + query => '{ + "query": { + "range": { + "@timestamp": { + "gt": "now-5m" + } + } + } + }' + schedule => "*/5 * * * *" + } +} + +output { + stdout { + id => "output.stdout" + codec => json_lines + } + s3 { + id => "output.s3" + access_key_id => "${AWS_ACCESS_KEY_ID}" + bucket => "${S3_BUCKET_RAW}" + codec => "json_lines" + encoding => "gzip" + endpoint => "${AWS_ENDPOINT}" + prefix => "%{+YYYY}%{+MM}%{+dd}" + region => "${AWS_REGION}" + retry_count => 0 + secret_access_key => "${AWS_SECRET_ACCESS_KEY}" + server_side_encryption => true + server_side_encryption_algorithm => "AES256" + time_file => 5 + validate_credentials_on_root_bucket => false + additional_settings => { + "force_path_style" => true + } + } + file { + id => "output.file" + path => "/usr/share/logstash/logs/indexer-to-file-%{+YYYY-MM-dd-HH}.log" + file_mode => 0644 + codec => json_lines + flush_interval => 30 + } +} diff --git a/integrations/amazon-security-lake/logstash/setup.sh b/integrations/amazon-security-lake/logstash/setup.sh new file mode 100644 index 0000000000000..9527f1fa58362 --- /dev/null +++ b/integrations/amazon-security-lake/logstash/setup.sh @@ -0,0 +1,10 @@ +#!/usr/bin/bash + +# This script creates and configures a keystore for Logstash to store +# indexer's credentials. NOTE: works only for dockerized logstash. +# Source: https://www.elastic.co/guide/en/logstash/current/keystore.html + +# Create keystore +/usr/share/logstash/bin/logstash-keystore create --path.settings /etc/logstash +echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME --path.settings /etc/logstash +echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD --path.settings /etc/logstash diff --git a/integrations/amazon-security-lake/requirements.aws.txt b/integrations/amazon-security-lake/requirements.aws.txt new file mode 100644 index 0000000000000..ea911617dede4 --- /dev/null +++ b/integrations/amazon-security-lake/requirements.aws.txt @@ -0,0 +1,2 @@ +pyarrow>=10.0.1 +pydantic>=2.6.1 \ No newline at end of file diff --git a/integrations/amazon-security-lake/requirements.txt b/integrations/amazon-security-lake/requirements.txt new file mode 100644 index 0000000000000..7d14ea9fb1b10 --- /dev/null +++ b/integrations/amazon-security-lake/requirements.txt @@ -0,0 +1,4 @@ +pyarrow>=10.0.1 +parquet-tools>=0.2.15 +pydantic>=2.6.1 +boto3==1.34.46 \ No newline at end of file diff --git a/integrations/amazon-security-lake/src/lambda_function.py b/integrations/amazon-security-lake/src/lambda_function.py new file mode 100644 index 0000000000000..e56caa4bf6426 --- /dev/null +++ b/integrations/amazon-security-lake/src/lambda_function.py @@ -0,0 +1,185 @@ +import logging +import os +import urllib.parse +import json +import gzip +import boto3 +import pyarrow as pa +import pyarrow.parquet as pq +from botocore.exceptions import ClientError +import wazuh_ocsf_converter + +logger = logging.getLogger() +logger.setLevel("INFO") + +# Initialize boto3 client outside the handler +if os.environ.get('IS_DEV'): + s3_client = boto3.client( + service_name='s3', + aws_access_key_id=os.environ.get('AWS_ACCESS_KEY_ID'), + aws_secret_access_key=os.environ.get('AWS_SECRET_ACCESS_KEY'), + region_name=os.environ.get('REGION'), + endpoint_url=os.environ.get('AWS_ENDPOINT'), + ) +else: + s3_client = boto3.client('s3') + + +def get_events(bucket: str, key: str) -> list: + """ + Retrieve events from S3 object. + """ + logger.info(f"Reading {key}.") + try: + response = s3_client.get_object(Bucket=bucket, Key=key) + data = gzip.decompress(response['Body'].read()).decode('utf-8') + return data.splitlines() + except ClientError as e: + logger.error( + f"Failed to read S3 object {key} from bucket {bucket}: {e}") + return [] + + +def write_parquet_file(ocsf_events: list, filename: str) -> None: + """ + Write OCSF events to a Parquet file. + """ + table = pa.Table.from_pylist(ocsf_events) + pq.write_table(table, filename, compression='ZSTD') + + +def upload_to_s3(bucket: str, key: str, filename: str) -> bool: + """ + Upload a file to S3 bucket. + """ + logger.info(f"Uploading data to {bucket}.") + try: + with open(filename, 'rb') as data: + s3_client.put_object(Bucket=bucket, Key=key, Body=data) + return True + except ClientError as e: + logger.error( + f"Failed to upload file {filename} to bucket {bucket}: {e}") + return False + + +def exit_on_error(error_message): + """ + Print error message and exit with non-zero status code. + Args: + error_message (str): Error message to display. + """ + print(f"Error: {error_message}") + exit(1) + + +def check_environment_variables(variables): + """ + Check if required environment variables are set. + Args: + variables (list): List of required environment variable names. + Returns: + bool: True if all required environment variables are set, False otherwise. + """ + missing_variables = [var for var in variables if not os.environ.get(var)] + if missing_variables: + error_message = f"The following environment variables are not set: {', '.join(missing_variables)}" + exit_on_error(error_message) + return False + return True + + +def get_full_key(src_location: str, account_id: str, region: str, key: str, format: str) -> str: + """ + Constructs a full S3 key path for storing a Parquet file based on event metadata. + + Args: + src_location (str): Source location identifier. + account_id (str): AWS account ID associated with the event. + region (str): AWS region where the event occurred. + key (str): Event key containing metadata information. + format (str): File extension. + + Returns: + str: Full S3 key path for storing the Parquet file. + + Example: + If key is '20240417_ls.s3.0055f22e-200e-4259-b865-8ccea05812be.2024-04-17T15.45.part29.txt', + this function will return: + 'ext/src_location/region=region/accountId=account_id/eventDay=20240417/0055f22e200e4259b8658ccea05812be.parquet' + """ + # Extract event day from the key (first 8 characters) + event_day = key[:8] + + # Extract filename (UUID) from the key and remove hyphens + filename_parts = key.split('.') + filename = ''.join(filename_parts[2].split('-')) + + # Construct the full S3 key path for storing the file + key = ( + f'ext/{src_location}/region={region}/accountId={account_id}/eventDay={event_day}/{filename}.{format}' + ) + + return key + + +def lambda_handler(event, context): + + # Define required environment variables + required_variables = ['AWS_BUCKET', 'SOURCE_LOCATION', 'ACCOUNT_ID', 'REGION'] + + # Check if all required environment variables are set + if not check_environment_variables(required_variables): + return + + # Retrieve environment variables + dst_bucket = os.environ['AWS_BUCKET'] + src_location = os.environ['SOURCE_LOCATION'] + account_id = os.environ['ACCOUNT_ID'] + region = os.environ['REGION'] + ocsf_bucket = os.environ.get('S3_BUCKET_OCSF') + ocsf_class = os.environ.get('OCSF_CLASS', 'SECURITY_FINDING') + + # Extract bucket and key from S3 event + src_bucket = event['Records'][0]['s3']['bucket']['name'] + key = urllib.parse.unquote_plus( + event['Records'][0]['s3']['object']['key'], encoding='utf-8') + logger.info(f"Lambda function invoked due to {key}.") + logger.info( + f"Source bucket name is {src_bucket}. Destination bucket is {dst_bucket}.") + + # Read events from source S3 bucket + raw_events = get_events(src_bucket, key) + if not raw_events: + return + + # Transform events to OCSF format + ocsf_events = wazuh_ocsf_converter.transform_events(raw_events, ocsf_class) + + # Upload event in OCSF format + ocsf_upload_success = False + if ocsf_bucket is not None: + tmp_filename = '/tmp/tmp.json' + with open(tmp_filename, "w") as fd: + fd.write(json.dumps(ocsf_events)) + ocsf_key = get_full_key(src_location, account_id, region, key, 'json') + ocsf_upload_success = upload_to_s3(ocsf_bucket, ocsf_key, tmp_filename) + + # Write OCSF events to Parquet file + tmp_filename = '/tmp/tmp.parquet' + write_parquet_file(ocsf_events, tmp_filename) + + # Upload Parquet file to destination S3 bucket + parquet_key = get_full_key(src_location, account_id, region, key, 'parquet') + upload_success = upload_to_s3(dst_bucket, parquet_key, tmp_filename) + + # Clean up temporary file + os.remove(tmp_filename) + + # Prepare response + response = { + 'size': len(raw_events), + 'upload_success': upload_success, + 'ocsf_upload_success': ocsf_upload_success + } + return json.dumps(response) diff --git a/integrations/amazon-security-lake/src/models/__init__.py b/integrations/amazon-security-lake/src/models/__init__.py new file mode 100644 index 0000000000000..8dc7d9f3af00b --- /dev/null +++ b/integrations/amazon-security-lake/src/models/__init__.py @@ -0,0 +1,2 @@ +import models.wazuh +import models.ocsf diff --git a/integrations/amazon-security-lake/src/models/ocsf.py b/integrations/amazon-security-lake/src/models/ocsf.py new file mode 100644 index 0000000000000..63ab7fc7102a5 --- /dev/null +++ b/integrations/amazon-security-lake/src/models/ocsf.py @@ -0,0 +1,104 @@ +import pydantic +import typing +import abc + + +class AnalyticInfo(pydantic.BaseModel): + category: str + name: str + type_id: int = 1 + uid: str + + +# Deprecated since v1.1.0. Use AnalyticInfo instead. +class Analytic(pydantic.BaseModel): + category: str + name: str + type: str = "Rule" + type_id: int = 1 + uid: str + + +class TechniqueInfo(pydantic.BaseModel): + name: str + uid: str + + +class AttackInfo(pydantic.BaseModel): + tactic: TechniqueInfo + technique: TechniqueInfo + version: str = "v13.1" + + +class FindingInfo(pydantic.BaseModel): + analytic: AnalyticInfo + attacks: typing.List[AttackInfo] + title: str + types: typing.List[str] + uid: str + + +# Deprecated since v1.1.0. Use FindingInfo instead. +class Finding(pydantic.BaseModel): + title: str + types: typing.List[str] + uid: str + + +class ProductInfo(pydantic.BaseModel): + name: str + lang: str + vendor_name: str + + +class Metadata(pydantic.BaseModel): + log_name: str = "Security events" + log_provider: str = "Wazuh" + product: ProductInfo = ProductInfo( + name="Wazuh", + lang="en", + vendor_name="Wazuh, Inc,." + ) + version: str = "1.1.0" + + +class Resource(pydantic.BaseModel): + name: str + uid: str + + +class FindingABC(pydantic.BaseModel, abc.ABC): + activity_id: int = 1 + category_name: str = "Findings" + category_uid: int = 2 + class_name: str + class_uid: int + count: int + message: str + metadata: Metadata = Metadata() + raw_data: str + resources: typing.List[Resource] + risk_score: int + severity_id: int + status_id: int = 99 + time: int + type_uid: int + unmapped: typing.Dict[str, typing.List[str]] = pydantic.Field() + + +class DetectionFinding(FindingABC): + class_name: str = "Detection Finding" + class_uid: int = 2004 + finding_info: FindingInfo + type_uid: int = 200401 + + +# Deprecated since v1.1.0. Use DetectionFinding instead. +class SecurityFinding(FindingABC): + analytic: Analytic + attacks: typing.List[AttackInfo] + class_name: str = "Security Finding" + class_uid: int = 2001 + finding: Finding + state_id: int = 1 + type_uid: int = 200101 diff --git a/integrations/amazon-security-lake/src/models/wazuh.py b/integrations/amazon-security-lake/src/models/wazuh.py new file mode 100644 index 0000000000000..f73ed832b9165 --- /dev/null +++ b/integrations/amazon-security-lake/src/models/wazuh.py @@ -0,0 +1,50 @@ +import pydantic +import typing + +# =========== Wazuh event models =========== # +# These are only the fields required for the integration. + + +class Mitre(pydantic.BaseModel): + technique: typing.List[str] = ["N/A"] + id: typing.List[str] = ["N/A"] + tactic: typing.List[str] = ["N/A"] + + +class Rule(pydantic.BaseModel): + firedtimes: int = 0 + description: str = "N/A" + groups: typing.List[str] = [] + id: str = "N/A" + mitre: Mitre = Mitre() + level: int = 0 + nist_800_53: typing.List[str] = [] + + +class Decoder(pydantic.BaseModel): + name: str = "N/A" + + +class Input(pydantic.BaseModel): + type: str = "N/A" + + +class Agent(pydantic.BaseModel): + name: str + id: str + + +class Manager(pydantic.BaseModel): + name: str + + +class Event(pydantic.BaseModel): + rule: Rule = Rule() + decoder: Decoder = Decoder() + input: Input = Input() + id: str = "" + full_log: str = "" + agent: Agent = {} + timestamp: str = "" + location: str = "" + manager: Manager = {} diff --git a/integrations/amazon-security-lake/src/wazuh_ocsf_converter.py b/integrations/amazon-security-lake/src/wazuh_ocsf_converter.py new file mode 100644 index 0000000000000..494a3c62a7fa6 --- /dev/null +++ b/integrations/amazon-security-lake/src/wazuh_ocsf_converter.py @@ -0,0 +1,185 @@ +import pydantic +import models +import logging +from datetime import datetime + + +timestamp_pattern = "%Y-%m-%dT%H:%M:%S.%f%z" + + +def normalize(level: int) -> int: + """ + Normalizes rule level into the 0-6 range, required by OCSF. + """ + if level >= 15: # (5) Critical + severity = 5 + elif level >= 11: # (4) High + severity = 4 + elif level >= 8: # (3) Medium + severity = 3 + elif level >= 4: # (2) Low + severity = 2 + elif level >= 0: # (1) Informational + severity = 1 + else: + severity = 0 # (0) Unknown + + return severity + + +def join(iterable, separator=","): + return (separator.join(iterable)) + + +def to_detection_finding(event: models.wazuh.Event) -> models.ocsf.DetectionFinding: + """ + Convert Wazuh security event to OCSF detection finding. + """ + try: + + finding_info = models.ocsf.FindingInfo( + analytic=models.ocsf.AnalyticInfo( + category=", ".join(event.rule.groups), + name=event.decoder.name, + uid=event.rule.id + ), + attacks=[ + models.ocsf.AttackInfo( + tactic=models.ocsf.TechniqueInfo( + name=", ".join(event.rule.mitre.tactic), + uid=", ".join(event.rule.mitre.id) + ), + technique=models.ocsf.TechniqueInfo( + name=", ".join(event.rule.mitre.technique), + uid=", ".join(event.rule.mitre.id) + ) + ) + ], + title=event.rule.description, + types=[event.input.type], + uid=event.id + ) + + resources = [models.ocsf.Resource( + name=event.agent.name, uid=event.agent.id)] + + severity_id = normalize(event.rule.level) + + unmapped = { + "data_sources": [ + event.location, + event.manager.name + ], + "nist": event.rule.nist_800_53 # Array + } + + return models.ocsf.DetectionFinding( + count=event.rule.firedtimes, + message=event.rule.description, + finding_info=finding_info, + raw_data=event.full_log, + resources=resources, + risk_score=event.rule.level, + severity_id=severity_id, + time=to_epoch(event.timestamp), + unmapped=unmapped + ) + except AttributeError as e: + logging.error(f"Error transforming event: {e}") + return {} + + +def to_security_finding(event: models.wazuh.Event) -> models.ocsf.SecurityFinding: + """ + Convert Wazuh security event to OCSF's Security Finding class. + """ + try: + + analytic = models.ocsf.Analytic( + category=", ".join(event.rule.groups), + name=event.decoder.name, + uid=event.rule.id + ) + + attacks = [ + models.ocsf.AttackInfo( + tactic=models.ocsf.TechniqueInfo( + name=", ".join(event.rule.mitre.tactic), + uid=", ".join(event.rule.mitre.id) + ), + technique=models.ocsf.TechniqueInfo( + name=", ".join(event.rule.mitre.technique), + uid=", ".join(event.rule.mitre.id) + ) + ) + ] + + finding = models.ocsf.Finding( + title=event.rule.description, + types=[event.input.type], + uid=event.id + ) + + resources = [models.ocsf.Resource( + name=event.agent.name, uid=event.agent.id)] + + severity_id = normalize(event.rule.level) + + unmapped = { + "data_sources": [ + event.location, + event.manager.name + ], + "nist": event.rule.nist_800_53 # Array + } + + return models.ocsf.SecurityFinding( + analytic=analytic, + attacks=attacks, + count=event.rule.firedtimes, + message=event.rule.description, + finding=finding, + raw_data=event.full_log, + resources=resources, + risk_score=event.rule.level, + severity_id=severity_id, + time=to_epoch(event.timestamp), + unmapped=unmapped + ) + except AttributeError as e: + logging.error(f"Error transforming event: {e}") + return {} + + +def to_epoch(timestamp: str) -> int: + return int(datetime.strptime(timestamp, timestamp_pattern).timestamp()) + + +def from_json(json_line: str) -> models.wazuh.Event: + """ + Parse the JSON string representation of a Wazuh security event into a dictionary (model). + """ + # Needs to a string, bytes or bytearray + try: + return models.wazuh.Event.model_validate_json(json_line) + except pydantic.ValidationError as e: + print(e) + + +def transform_events(events: list, ocsf_class: str) -> list: + """ + Transform a list of Wazuh security events (json string) to OCSF format. + """ + logging.info("Transforming Wazuh security events to OCSF.") + ocsf_events = [] + for event in events: + try: + wazuh_event = from_json(event) + if ocsf_class == 'DETECTION_FINDING': + ocsf_event = to_detection_finding(wazuh_event).model_dump() + else: + ocsf_event = to_security_finding(wazuh_event).model_dump() + ocsf_events.append(ocsf_event) + except Exception as e: + logging.error(f"Error transforming line to OCSF: {e}") + return ocsf_events diff --git a/integrations/docker/.env b/integrations/docker/.env new file mode 100644 index 0000000000000..8afc3f3ec361c --- /dev/null +++ b/integrations/docker/.env @@ -0,0 +1,44 @@ +# Password for the 'elastic' user (at least 6 characters) +ELASTIC_PASSWORD=elastic + +# Password for the 'kibana_system' user (at least 6 characters) +KIBANA_PASSWORD=elastic + +# Set the cluster name +CLUSTER_NAME=elastic + +# Set to 'basic' or 'trial' to automatically start the 30-day trial +LICENSE=basic + +# Port to expose Elasticsearch HTTP API to the host +ES_PORT=9201 + +# Port to expose Kibana to the host +KIBANA_PORT=5602 + +# Increase or decrease based on the available host memory (in bytes) +MEM_LIMIT=1073741824 + +# Wazuh version +WAZUH_VERSION=4.9.2 + +# Wazuh Indexer version (Provisionally using OpenSearch) +WAZUH_INDEXER_VERSION=2.13.0 + +# Wazuh Dashboard version (Provisionally using OpenSearch Dashboards) +WAZUH_DASHBOARD_VERSION=2.13.0 + +# Wazuh certs generator version +WAZUH_CERTS_GENERATOR_VERSION=0.0.1 + +# OpenSearch destination cluster version +OS_VERSION=2.18.0 + +# Logstash version: +LOGSTASH_OSS_VERSION=8.9.0 + +# Splunk version: +SPLUNK_VERSION=9.3.1 + +# Version of Elastic products +STACK_VERSION=8.15.3 diff --git a/integrations/docker/amazon-security-lake.yml b/integrations/docker/amazon-security-lake.yml new file mode 100644 index 0000000000000..c02b51dab8c58 --- /dev/null +++ b/integrations/docker/amazon-security-lake.yml @@ -0,0 +1,143 @@ +version: "3.8" +name: "amazon-security-lake" + +services: + events-generator: + image: wazuh/indexer-events-generator + build: + context: ../tools/events-generator + container_name: events-generator + depends_on: + wazuh.indexer: + condition: service_healthy + command: bash -c "python run.py -a wazuh.indexer" + + wazuh.indexer: + image: opensearchproject/opensearch:2.12.0 + container_name: wazuh.indexer + depends_on: + wazuh-certs-generator: + condition: service_completed_successfully + hostname: wazuh.indexer + ports: + - 9200:9200 + environment: + # - cluster.name=opensearch-cluster + - node.name=wazuh.indexer + - discovery.type=single-node + # - cluster.initial_cluster_manager_nodes=opensearch-node + - bootstrap.memory_lock=true + - "DISABLE_INSTALL_DEMO_CONFIG=true" + - plugins.security.ssl.http.enabled=true + - plugins.security.allow_default_init_securityindex=true + - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" + - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + healthcheck: + test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster + start_period: 10s + start_interval: 3s + volumes: + - data:/usr/share/opensearch/data + - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem + - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem + - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem + + wazuh.dashboard: + image: opensearchproject/opensearch-dashboards:2.12.0 + container_name: wazuh.dashboard + depends_on: + - wazuh.indexer + hostname: wazuh.dashboard + ports: + - 5601:5601 # Map host port 5601 to container port 5601 + expose: + - "5601" # Expose port 5601 for web access to OpenSearch Dashboards + environment: + OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query + + wazuh.integration.security.lake: + image: wazuh/indexer-security-lake-integration + build: + context: ../amazon-security-lake + container_name: wazuh.integration.security.lake + depends_on: + - wazuh.indexer + hostname: wazuh.integration.security.lake + environment: + LOG_LEVEL: trace + LOGSTASH_KEYSTORE_PASS: "SecretPassword" + MONITORING_ENABLED: false + AWS_ACCESS_KEY_ID: "AKIAIOSFODNN7EXAMPLE" + AWS_SECRET_ACCESS_KEY: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" + AWS_REGION: "us-east-1" + S3_BUCKET_RAW: "wazuh-aws-security-lake-raw" + AWS_ENDPOINT: "http://s3.ninja:9000" + ports: + - "5000:5000/tcp" + - "5000:5000/udp" + - "5044:5044" + - "9600:9600" + volumes: + - ../amazon-security-lake/logstash/pipeline:/usr/share/logstash/pipeline # TODO has 1000:1000. logstash's uid is 999 + - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem + - ../amazon-security-lake/src:/usr/share/logstash/amazon-security-lake # TODO use dedicated folder + # - ./credentials:/usr/share/logstash/.aws/credentials # TODO credentials are not commited (missing) + command: tail -f /var/log/logstash/logstash-plain.log + + s3.ninja: + image: scireum/s3-ninja:latest + container_name: s3.ninja + hostname: s3.ninja + ports: + - "9444:9000" + volumes: + - s3-data:/home/sirius/data + + aws.lambda: + image: wazuh/indexer-security-lake-integration:lambda + build: + context: ../amazon-security-lake + dockerfile: ../amazon-security-lake/aws-lambda.dockerfile + container_name: wazuh.integration.security.lake.aws.lambda + hostname: wazuh.integration.security.lake.aws.lambda + environment: + AWS_ACCESS_KEY_ID: "AKIAIOSFODNN7EXAMPLE" + AWS_SECRET_ACCESS_KEY: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" + AWS_REGION: "us-east-1" + AWS_BUCKET: "wazuh-aws-security-lake-parquet" + S3_BUCKET_OCSF: "wazuh-aws-security-lake-ocsf" + AWS_ENDPOINT: "http://s3.ninja:9000" + SOURCE_LOCATION: "wazuh" + ACCOUNT_ID: "111111111111" + IS_DEV: true + OCSF_CLASS: SECURITY_FINDING + volumes: + - ../amazon-security-lake/src:/var/task + ports: + - "9000:8080" + + wazuh-certs-generator: + image: wazuh/wazuh-certs-generator:0.0.1 + hostname: wazuh-certs-generator + container_name: wazuh-certs-generator + entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" + volumes: + - ./certs/:/certificates/ + - ./config/certs.yml:/config/certs.yml + +volumes: + data: + s3-data: diff --git a/integrations/docker/compose.amazon-security-lake.yml b/integrations/docker/compose.amazon-security-lake.yml new file mode 100644 index 0000000000000..8c9b610b97c6f --- /dev/null +++ b/integrations/docker/compose.amazon-security-lake.yml @@ -0,0 +1,175 @@ +name: "amazon-security-lake" + +services: + events-generator: + image: wazuh/indexer-events-generator + build: + context: ../tools/events-generator + container_name: events-generator + depends_on: + wazuh.indexer: + condition: service_healthy + command: bash -c "python run.py -a wazuh.indexer" + + wazuh.indexer: + image: opensearchproject/opensearch:${WAZUH_INDEXER_VERSION} + container_name: wazuh.indexer + depends_on: + wazuh-certs-generator: + condition: service_completed_successfully + hostname: wazuh.indexer + ports: + - 9200:9200 + environment: + - WAZUH_INDEXER_VERSION=${WAZUH_INDEXER_VERSION} + # - cluster.name=opensearch-cluster + - node.name=wazuh.indexer + - discovery.type=single-node + # - cluster.initial_cluster_manager_nodes=opensearch-node + - bootstrap.memory_lock=true + - "DISABLE_INSTALL_DEMO_CONFIG=true" + - plugins.security.ssl.http.enabled=true + - plugins.security.allow_default_init_securityindex=true + - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" + - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + healthcheck: + test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster + start_period: 10s + start_interval: 3s + volumes: + - data:/usr/share/opensearch/data + - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem + - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem + - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem + + wazuh.dashboard: + image: opensearchproject/opensearch-dashboards:${WAZUH_DASHBOARD_VERSION} + container_name: wazuh.dashboard + depends_on: + - wazuh.indexer + hostname: wazuh.dashboard + ports: + - 5601:5601 # Map host port 5601 to container port 5601 + expose: + - "5601" # Expose port 5601 for web access to OpenSearch Dashboards + volumes: + - ./certs/:/usr/share/opensearch-dashboards/config/certs/ + - ./certs/wazuh.dashboard-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key + - ./certs/wazuh.dashboard.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem + - ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem + environment: + WAZUH_DASHBOARD_VERSION: ${WAZUH_DASHBOARD_VERSION} + OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query + SERVER_SSL_ENABLED: "true" + SERVER_SSL_KEY: "/usr/share/opensearch-dashboards/config/certs/opensearch.key" + SERVER_SSL_CERTIFICATE: "/usr/share/opensearch-dashboards/config/certs/opensearch.pem" + OPENSEARCH_SSL_CERTIFICATEAUTHORITIES: "/usr/share/opensearch-dashboards/config/certs/root-ca.pem" + + logstash: + depends_on: + - wazuh.indexer + # image: wazuh/indexer-security-lake-integration + image: logstash-oss:${LOGSTASH_OSS_VERSION} + build: + context: ../logstash + args: + - LOGSTASH_OSS_VERSION=${LOGSTASH_OSS_VERSION} + # container_name: wazuh.integration.security.lake + # hostname: wazuh.integration.security.lake + environment: + LOG_LEVEL: trace + LOGSTASH_KEYSTORE_PASS: "SecretPassword" + MONITORING_ENABLED: false + AWS_ACCESS_KEY_ID: "AKIAIOSFODNN7EXAMPLE" + AWS_SECRET_ACCESS_KEY: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" + AWS_REGION: "us-east-1" + S3_BUCKET_RAW: "wazuh-aws-security-lake-raw" + AWS_ENDPOINT: "http://s3.ninja:9000" + ports: + - "5000:5000/tcp" + - "5000:5000/udp" + - "5044:5044" + - "9600:9600" + volumes: + - ../amazon-security-lake/logstash/pipeline:/usr/share/logstash/pipeline + - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem + + s3.ninja: + image: scireum/s3-ninja:latest + container_name: s3.ninja + hostname: s3.ninja + ports: + - "9444:9000" + volumes: + - s3-data:/home/sirius/data + + aws.lambda: + image: wazuh/indexer-security-lake-integration:lambda + build: + context: ../amazon-security-lake + environment: + AWS_ACCESS_KEY_ID: "AKIAIOSFODNN7EXAMPLE" + AWS_SECRET_ACCESS_KEY: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" + REGION: "us-east-1" + AWS_BUCKET: "wazuh-aws-security-lake-parquet" + S3_BUCKET_OCSF: "wazuh-aws-security-lake-ocsf" + AWS_ENDPOINT: "http://s3.ninja:9000" + SOURCE_LOCATION: "wazuh" + ACCOUNT_ID: "111111111111" + IS_DEV: true + OCSF_CLASS: SECURITY_FINDING + volumes: + - ../amazon-security-lake/src:/var/task + ports: + - "9000:8080" + + generate-certs-config: + image: alpine:latest + volumes: + - ./config:/config + command: | + sh -c " + echo ' + nodes: + indexer: + - name: wazuh.indexer + ip: \"wazuh.indexer\" + server: + - name: wazuh.manager + ip: \"wazuh.manager\" + dashboard: + - name: wazuh.dashboard + ip: \"wazuh.dashboard\" + ' > /config/certs.yml + " + + wazuh-certs-generator: + image: wazuh/wazuh-certs-generator:${WAZUH_CERTS_GENERATOR_VERSION} + hostname: wazuh-certs-generator + depends_on: + generate-certs-config: + condition: service_completed_successfully + container_name: wazuh-certs-generator + environment: + - WAZUH_CERTS_GENERATOR_VERSION=${WAZUH_CERTS_GENERATOR_VERSION} + entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" + volumes: + - ./certs/:/certificates/ + - ./config/certs.yml:/config/certs.yml + +volumes: + data: + s3-data: diff --git a/integrations/docker/compose.indexer-elastic.yml b/integrations/docker/compose.indexer-elastic.yml new file mode 100644 index 0000000000000..fa4f20b8165b3 --- /dev/null +++ b/integrations/docker/compose.indexer-elastic.yml @@ -0,0 +1,259 @@ +name: "elastic-integration" + +services: + events-generator: + image: wazuh/indexer-events-generator + build: + context: ../tools/events-generator + depends_on: + wazuh.indexer: + condition: service_healthy + command: bash -c "python run.py -a wazuh.indexer" + + wazuh.indexer: + image: opensearchproject/opensearch:${WAZUH_INDEXER_VERSION} + depends_on: + wazuh-certs-generator: + condition: service_completed_successfully + hostname: wazuh.indexer + ports: + - 9200:9200 + environment: + - WAZUH_INDEXER_VERSION=${WAZUH_INDEXER_VERSION} + - node.name=wazuh.indexer + - discovery.type=single-node + - bootstrap.memory_lock=true + - "DISABLE_INSTALL_DEMO_CONFIG=true" + - plugins.security.ssl.http.enabled=true + - plugins.security.allow_default_init_securityindex=true + - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" + - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + healthcheck: + test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster + start_period: 10s + start_interval: 3s + volumes: + - data:/usr/share/opensearch/data + - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem + - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem + - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem + + wazuh.dashboard: + image: opensearchproject/opensearch-dashboards:${WAZUH_DASHBOARD_VERSION} + depends_on: + - wazuh.indexer + hostname: wazuh.dashboard + ports: + - 5601:5601 # Map host port 5601 to container port 5601 + expose: + - "5601" # Expose port 5601 for web access to OpenSearch Dashboards + volumes: + - ./certs/:/usr/share/opensearch-dashboards/config/certs/ + - ./certs/wazuh.dashboard-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key + - ./certs/wazuh.dashboard.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem + - ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem + environment: + WAZUH_DASHBOARD_VERSION: ${WAZUH_DASHBOARD_VERSION} + OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query + SERVER_SSL_ENABLED: "true" + SERVER_SSL_KEY: "/usr/share/opensearch-dashboards/config/certs/opensearch.key" + SERVER_SSL_CERTIFICATE: "/usr/share/opensearch-dashboards/config/certs/opensearch.pem" + OPENSEARCH_SSL_CERTIFICATEAUTHORITIES: "/usr/share/opensearch-dashboards/config/certs/root-ca.pem" + + generate-certs-config: + image: alpine:latest + volumes: + - ./config:/config + command: | + sh -c " + echo ' + nodes: + indexer: + - name: wazuh.indexer + ip: \"wazuh.indexer\" + server: + - name: wazuh.manager + ip: \"wazuh.manager\" + dashboard: + - name: wazuh.dashboard + ip: \"wazuh.dashboard\" + ' > /config/certs.yml + " + + wazuh-certs-generator: + image: wazuh/wazuh-certs-generator:${WAZUH_CERTS_GENERATOR_VERSION} + hostname: wazuh-certs-generator + environment: + - WAZUH_CERTS_GENERATOR_VERSION=${WAZUH_CERTS_GENERATOR_VERSION} + depends_on: + generate-certs-config: + condition: service_completed_successfully + entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" + volumes: + - ./certs/:/certificates/ + - ./config/certs.yml:/config/certs.yml + + # ================================= + # Elasticsearch, Kibana and Logstash + # ================================= + # https://www.elastic.co/guide/en/elastic-stack-get-started/current/get-started-docker.html + + setup: + image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION} + volumes: + - es_certs:/usr/share/elasticsearch/config/certs + user: "0" + command: > + bash -c ' + if [ x${ELASTIC_PASSWORD} == x ]; then + echo "Set the ELASTIC_PASSWORD environment variable in the .env file"; + exit 1; + elif [ x${KIBANA_PASSWORD} == x ]; then + echo "Set the KIBANA_PASSWORD environment variable in the .env file"; + exit 1; + fi; + if [ ! -f config/certs/ca.zip ]; then + echo "Creating CA"; + bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip; + unzip config/certs/ca.zip -d config/certs; + fi; + if [ ! -f config/certs/certs.zip ]; then + echo "Creating certs"; + echo -ne \ + "instances:\n"\ + " - name: es01\n"\ + " dns:\n"\ + " - es01\n"\ + " - localhost\n"\ + " ip:\n"\ + " - 127.0.0.1\n"\ + " - name: kibana\n"\ + " dns:\n"\ + " - kibana\n"\ + " - localhost\n"\ + " ip:\n"\ + " - 127.0.0.1\n"\ + > config/certs/instances.yml; + bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key; + unzip config/certs/certs.zip -d config/certs; + fi; + echo "Setting file permissions" + chown -R 1000:1000 config/certs; + find . -type d -exec chmod 750 \{\} \;; + find . -type f -exec chmod 640 \{\} \;; + echo "Waiting for Elasticsearch availability"; + until curl -s --cacert config/certs/ca/ca.crt https://es01:9200 | grep -q "missing authentication credentials"; do sleep 30; done; + echo "Setting kibana_system password"; + until curl -s -X POST --cacert config/certs/ca/ca.crt -u "elastic:${ELASTIC_PASSWORD}" -H "Content-Type: application/json" https://es01:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done; + echo "All done!"; + ' + healthcheck: + test: ["CMD-SHELL", "[ -f config/certs/es01/es01.crt ]"] + interval: 1s + timeout: 5s + retries: 120 + + es01: + depends_on: + setup: + condition: service_healthy + image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION} + volumes: + - es_certs:/usr/share/elasticsearch/config/certs + ports: + - ${ES_PORT}:9200 + environment: + - node.name=es01 + - cluster.name=${CLUSTER_NAME} + - cluster.initial_master_nodes=es01 + - ELASTIC_PASSWORD=${ELASTIC_PASSWORD} + - bootstrap.memory_lock=true + - xpack.security.enabled=true + - xpack.security.http.ssl.enabled=true + - xpack.security.http.ssl.key=certs/es01/es01.key + - xpack.security.http.ssl.certificate=certs/es01/es01.crt + - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.transport.ssl.enabled=true + - xpack.security.transport.ssl.key=certs/es01/es01.key + - xpack.security.transport.ssl.certificate=certs/es01/es01.crt + - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt + - xpack.security.transport.ssl.verification_mode=certificate + - xpack.license.self_generated.type=${LICENSE} + mem_limit: ${MEM_LIMIT} + ulimits: + memlock: + soft: -1 + hard: -1 + healthcheck: + test: + [ + "CMD-SHELL", + "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'", + ] + interval: 10s + timeout: 10s + retries: 120 + + kibana: + depends_on: + es01: + condition: service_healthy + image: docker.elastic.co/kibana/kibana:${STACK_VERSION} + volumes: + - es_certs:/usr/share/kibana/config/certs + ports: + - ${KIBANA_PORT}:5601 + environment: + - SERVERNAME=kibana + - ELASTICSEARCH_HOSTS=https://es01:9200 + - ELASTICSEARCH_USERNAME=kibana_system + - ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD} + - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt + - SERVER_SSL_ENABLED=true + - SERVER_SSL_KEY=/usr/share/kibana/config/certs/kibana/kibana.key + - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/certs/kibana/kibana.crt + mem_limit: ${MEM_LIMIT} + healthcheck: + test: + [ + "CMD-SHELL", + "curl -s -I https://localhost:5601 | grep -q 'HTTP/1.1 302 Found'", + ] + interval: 10s + timeout: 10s + retries: 120 + + logstash: + depends_on: + es01: + condition: service_healthy + image: logstash-oss:${LOGSTASH_OSS_VERSION} + build: + context: ../logstash + args: + - LOGSTASH_OSS_VERSION=${LOGSTASH_OSS_VERSION} + environment: + LOG_LEVEL: info + MONITORING_ENABLED: false + volumes: + - ../elastic/logstash/pipeline:/usr/share/logstash/pipeline + - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem + - es_certs:/etc/certs/elastic + command: logstash -f /usr/share/logstash/pipeline/indexer-to-elastic.conf + +volumes: + data: + es_certs: diff --git a/integrations/docker/compose.indexer-opensearch.yml b/integrations/docker/compose.indexer-opensearch.yml new file mode 100644 index 0000000000000..8fc2c4364117c --- /dev/null +++ b/integrations/docker/compose.indexer-opensearch.yml @@ -0,0 +1,194 @@ +name: "opensearch-integration" + +services: + events-generator: + image: wazuh/indexer-events-generator + build: + context: ../tools/events-generator + depends_on: + wazuh.indexer: + condition: service_healthy + command: bash -c "python run.py -a wazuh.indexer" + + wazuh.indexer: + image: opensearchproject/opensearch:${WAZUH_INDEXER_VERSION} + depends_on: + wazuh-certs-generator: + condition: service_completed_successfully + hostname: wazuh.indexer + ports: + - 9200:9200 + environment: + - WAZUH_INDEXER_VERSION=${WAZUH_INDEXER_VERSION} + - node.name=wazuh.indexer + - discovery.type=single-node + - bootstrap.memory_lock=true + - "DISABLE_INSTALL_DEMO_CONFIG=true" + - plugins.security.ssl.http.enabled=true + - plugins.security.allow_default_init_securityindex=true + - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" + - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + healthcheck: + test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster + start_period: 10s + start_interval: 3s + volumes: + - data:/usr/share/opensearch/data + - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem + - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem + - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem + + wazuh.dashboard: + image: opensearchproject/opensearch-dashboards:${WAZUH_DASHBOARD_VERSION} + depends_on: + - wazuh.indexer + hostname: wazuh.dashboard + ports: + - 5601:5601 + expose: + - "5601" + volumes: + - ../opensearch/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml + - ./certs/:/usr/share/opensearch-dashboards/config/certs/ + - ./certs/opensearch.dashboards-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key + - ./certs/opensearch.dashboards.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem + - ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem + environment: + WAZUH_DASHBOARD_VERSION: ${WAZUH_DASHBOARD_VERSION} + OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' + SERVER_SSL_ENABLED: "true" + SERVER_SSL_KEY: "/usr/share/opensearch-dashboards/config/certs/opensearch.key" + SERVER.SSL_CERTIFICATE: "/usr/share/opensearch-dashboards/config/certs/opensearch.pem" + OPENSEARCH_SSL_CERTIFICATEAUTHORITIES: "/usr/share/opensearch-dashboards/config/certs/root-ca.pem" + + generate-certs-config: + image: alpine:latest + volumes: + - ./config:/config + command: | + sh -c " + echo ' + nodes: + indexer: + - name: wazuh.indexer + ip: \"wazuh.indexer\" + - name: opensearch.node + ip: \"opensearch.node\" + server: + - name: wazuh.manager + ip: \"wazuh.manager\" + dashboard: + - name: wazuh.dashboard + ip: \"wazuh.dashboard\" + - name: opensearch.dashboards + ip: \"opensearch.dashboards\" + ' > /config/certs.yml + " + + wazuh-certs-generator: + image: wazuh/wazuh-certs-generator:${WAZUH_CERTS_GENERATOR_VERSION} + hostname: wazuh-certs-generator + environment: + - WAZUH_CERTS_GENERATOR_VERSION=${WAZUH_CERTS_GENERATOR_VERSION} + depends_on: + generate-certs-config: + condition: service_completed_successfully + entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" + volumes: + - ./certs/:/certificates/ + - ./config/certs.yml:/config/certs.yml + + # ================================================ + # OpenSearch, OpenSearch Dashboards and Logstash + # ================================================ + + opensearch.node: + image: opensearchproject/opensearch:${OS_VERSION} + depends_on: + wazuh-certs-generator: + condition: service_completed_successfully + environment: + - cluster.name=opensearch-cluster + - node.name=opensearch.node + - discovery.type=single-node + - bootstrap.memory_lock=true + - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" + - "DISABLE_INSTALL_DEMO_CONFIG=true" + volumes: + - ../opensearch/opensearch.yml:/usr/share/opensearch/config/opensearch.yml + - ./certs/opensearch.node-key.pem:/usr/share/opensearch/config/certs/opensearch.key + - ./certs/opensearch.node.pem:/usr/share/opensearch/config/certs/opensearch.pem + - ./certs/root-ca.pem:/usr/share/opensearch/config/certs/root-ca.pem + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + ports: + - 9201:9200 + - 9600:9600 + healthcheck: + test: + [ + "CMD-SHELL", + "curl -sku admin:admin https://opensearch.node:9200 2>&1 | grep -q 'The OpenSearch Project: https://opensearch.org/'", + ] + interval: 1s + timeout: 5s + retries: 120 + + opensearch-dashboards: + image: opensearchproject/opensearch-dashboards:${OS_VERSION} + depends_on: + opensearch.node: + condition: service_healthy + ports: + - 5602:5601 + expose: + - "5602" + volumes: + - ../opensearch/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml + - ./certs/:/usr/share/opensearch-dashboards/config/certs/ + - ./certs/opensearch.dashboards-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key + - ./certs/opensearch.dashboards.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem + - ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem + + environment: + - 'OPENSEARCH_HOSTS="https://opensearch.node:9200"' + + logstash: + image: logstash-oss:${LOGSTASH_OSS_VERSION} + depends_on: + opensearch.node: + condition: service_healthy + build: + context: ../logstash + args: + - LOGSTASH_OSS_VERSION=${LOGSTASH_OSS_VERSION} + environment: + LOGSTASH_OSS_VERSION: ${LOGSTASH_OSS_VERSION} + LOG_LEVEL: info + MONITORING_ENABLED: false + volumes: + - ../opensearch/logstash/pipeline:/usr/share/logstash/pipeline + - ./certs/root-ca.pem:/etc/ssl/root-ca.pem + command: logstash -f /usr/share/logstash/pipeline/indexer-to-opensearch.conf + +volumes: + data: + os_config: diff --git a/integrations/docker/compose.indexer-splunk.yml b/integrations/docker/compose.indexer-splunk.yml new file mode 100644 index 0000000000000..9f9681f8cb965 --- /dev/null +++ b/integrations/docker/compose.indexer-splunk.yml @@ -0,0 +1,182 @@ +name: "splunk-integration" + +services: + events-generator: + image: wazuh/indexer-events-generator + build: + context: ../tools/events-generator + depends_on: + wazuh.indexer: + condition: service_healthy + command: bash -c "python run.py -a wazuh.indexer" + + wazuh.indexer: + image: opensearchproject/opensearch:${WAZUH_INDEXER_VERSION} + depends_on: + wazuh-certs-generator: + condition: service_completed_successfully + hostname: wazuh.indexer + ports: + - 9200:9200 + environment: + - WAZUH_INDEXER_VERSION=${WAZUH_INDEXER_VERSION} + - node.name=wazuh.indexer + - discovery.type=single-node + - bootstrap.memory_lock=true + - "DISABLE_INSTALL_DEMO_CONFIG=true" + - plugins.security.ssl.http.enabled=true + - plugins.security.allow_default_init_securityindex=true + - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem + - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem + - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem + - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" + - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" + ulimits: + memlock: + soft: -1 + hard: -1 + nofile: + soft: 65536 + hard: 65536 + healthcheck: + test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster + start_period: 10s + start_interval: 3s + volumes: + - data:/usr/share/opensearch/data + - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem + - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem + - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem + + wazuh.dashboard: + image: opensearchproject/opensearch-dashboards:${WAZUH_DASHBOARD_VERSION} + depends_on: + - wazuh.indexer + hostname: wazuh.dashboard + ports: + - 5601:5601 # Map host port 5601 to container port 5601 + expose: + - "5601" # Expose port 5601 for web access to OpenSearch Dashboards + volumes: + - ./certs/:/usr/share/opensearch-dashboards/config/certs/ + - ./certs/wazuh.dashboard-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key + - ./certs/wazuh.dashboard.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem + - ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem + environment: + WAZUH_DASHBOARD_VERSION: ${WAZUH_DASHBOARD_VERSION} + OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query + SERVER_SSL_ENABLED: "true" + SERVER_SSL_KEY: "/usr/share/opensearch-dashboards/config/certs/opensearch.key" + SERVER_SSL_CERTIFICATE: "/usr/share/opensearch-dashboards/config/certs/opensearch.pem" + OPENSEARCH_SSL_CERTIFICATEAUTHORITIES: "/usr/share/opensearch-dashboards/config/certs/root-ca.pem" + + generate-certs-config: + image: alpine:latest + volumes: + - ./config:/config + command: | + sh -c " + echo ' + nodes: + indexer: + - name: wazuh.indexer + ip: \"wazuh.indexer\" + server: + - name: wazuh.manager + ip: \"wazuh.manager\" + dashboard: + - name: wazuh.dashboard + ip: \"wazuh.dashboard\" + ' > /config/certs.yml + " + + wazuh-certs-generator: + image: wazuh/wazuh-certs-generator:${WAZUH_CERTS_GENERATOR_VERSION} + hostname: wazuh-certs-generator + environment: + - WAZUH_CERTS_GENERATOR_VERSION=${WAZUH_CERTS_GENERATOR_VERSION} + depends_on: + generate-certs-config: + condition: service_completed_successfully + entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" + volumes: + - ./certs/:/certificates/ + - ./config/certs.yml:/config/certs.yml + + # ================================= + # Splunk and Logstash + # ================================= + + generator: + image: cfssl/cfssl + depends_on: + wazuh-certs-generator: + condition: service_completed_successfully + volumes: + - ./certs/:/certs/ + - ../splunk/cfssl/:/conf/ + entrypoint: /bin/bash + command: > + -c ' + cd /certs + cat /conf/host.json | \ + cfssl gencert \ + -ca root-ca.pem \ + -ca-key root-ca.key \ + -config /conf/cfssl.json \ + -profile=server - | \ + cfssljson -bare splunk + openssl pkcs8 -topk8 -inform pem -in splunk-key.pem -outform pem -nocrypt -out splunk.key + rm splunk.csr + cat splunk.pem splunk-key.pem root-ca.pem > splunkhec.pem + chown -R 1000:1000 /certs/splunk* + ' + + splunk: + image: splunk/splunk:${SPLUNK_VERSION} + volumes: + - ./certs/splunk.key:/opt/splunk/etc/auth/custom/splunk.key + - ./certs/splunk.pem:/opt/splunk/etc/auth/custom/splunk.pem + - ./certs/splunkhec.pem:/opt/splunk/etc/auth/custom/splunkhec.pem + - ../splunk/config/indexes.conf:/opt/splunk/etc/system/local/indexes.conf + - ../splunk/config/default.yml:/tmp/defaults/default.yml + depends_on: + wazuh-certs-generator: + condition: service_completed_successfully + generator: + condition: service_completed_successfully + ports: + - "8000:8000" + - "8088:8088" + environment: + SPLUNK_VERSION: ${SPLUNK_VERSION} + SPLUNK_HEC_TOKEN: "abcd1234" + SPLUNK_HOSTNAME: splunk + SPLUNK_HTTP_ENABLESSL: "true" + SPLUNK_PASSWORD: Password.1234 + SPLUNK_STANDALONE_URL: https://splunk:8080 + SPLUNK_START_ARGS: --accept-license + + logstash: + image: logstash-oss:${LOGSTASH_OSS_VERSION} + depends_on: + splunk: + condition: service_healthy + build: + context: ../logstash + args: + - LOGSTASH_OSS_VERSION=${LOGSTASH_OSS_VERSION} + environment: + LOGSTASH_OSS_VERSION: ${LOGSTASH_OSS_VERSION} + LOG_LEVEL: info + MONITORING_ENABLED: false + volumes: + - ../splunk/logstash/pipeline:/usr/share/logstash/pipeline + - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem + command: logstash -f /usr/share/logstash/pipeline/indexer-to-splunk.conf + +volumes: + data: diff --git a/integrations/docker/config/certs.yml b/integrations/docker/config/certs.yml new file mode 100644 index 0000000000000..7a4ef691e5e10 --- /dev/null +++ b/integrations/docker/config/certs.yml @@ -0,0 +1,20 @@ +nodes: + # Wazuh indexer and OpenSearch server nodes + indexer: + - name: wazuh.indexer + ip: wazuh.indexer + - name: opensearch.node + ip: opensearch.node + + # Wazuh server nodes + # Use node_type only with more than one Wazuh manager + server: + - name: wazuh.manager + ip: wazuh.manager + + # Wazuh dashboard and OpenSearch Dashboards nodes + dashboard: + - name: wazuh.dashboard + ip: wazuh.dashboard + - name: opensearch.dashboards + ip: opensearch.dashboards diff --git a/integrations/elastic/Dockerfile b/integrations/elastic/Dockerfile new file mode 100644 index 0000000000000..82314abd3c3bd --- /dev/null +++ b/integrations/elastic/Dockerfile @@ -0,0 +1,19 @@ +FROM opensearchproject/logstash-oss-with-opensearch-output-plugin:latest + +ENV LOGSTASH_KEYSTORE_PASS "SecretPassword" +ENV LS_PATH "/usr/share/logstash" +USER logstash + +# https://github.com/elastic/logstash/issues/6600 +# Install plugin +RUN LS_JAVA_OPTS="-Xms1024m -Xmx1024m" logstash-plugin install logstash-input-opensearch + +COPY --chown=logstash:logstash logstash/pipeline /usr/share/logstash/pipeline +# Copy and run the setup.sh script to create and configure a keystore for Logstash. +COPY --chown=logstash:logstash logstash/setup.sh /usr/share/logstash/bin/setup.sh +RUN bash /usr/share/logstash/bin/setup.sh + +# Disable ECS compatibility +RUN `echo "pipeline.ecs_compatibility: disabled" >> /usr/share/logstash/config/logstash.yml` + +WORKDIR /usr/share/logstash \ No newline at end of file diff --git a/integrations/elastic/README.md b/integrations/elastic/README.md new file mode 100644 index 0000000000000..3707586c959b5 --- /dev/null +++ b/integrations/elastic/README.md @@ -0,0 +1,57 @@ +# Wazuh to Elastic Integration Developer Guide + +This document describes how to prepare a Docker Compose environment to test the integration between Wazuh and the Elastic Stack. For a detailed guide on how to integrate Wazuh with Elastic Stack, please refer to the [Wazuh documentation](https://documentation.wazuh.com/current/integrations-guide/elastic-stack/index.html). + +## Requirements + +- Docker and Docker Compose installed. + +## Usage + +1. Clone the Wazuh repository and navigate to the `integrations/` folder. +2. Run the following command to start the environment: + ```bash + docker compose -f ./docker/compose.indexer-elastic.yml up -d + ``` +3. If you prefer, you can start the integration with the Wazuh Manager as data source: + ```bash + docker compose -f ./docker/compose.manager-elastic.yml up -d + ``` + +The Docker Compose project will bring up the following services: + +- 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)). +- 1x Wazuh Indexer (OpenSearch). +- 1x Logstash +- 1x Elastic +- 1x Kibana +- 1x Wazuh Manager (optional). + +For custom configurations, you may need to modify these files: + +- [docker/compose.indexer-elastic.yml](../docker/compose.indexer-elastic.yml): Docker Compose file. +- [docker/.env](../docker/.env): Environment variables file. +- [elastic/logstash/pipeline/indexer-to-elastic.conf](./logstash/pipeline/indexer-to-elastic.conf): Logstash Pipeline configuration file. + +If you opted to start the integration with the Wazuh Manager, you can modify the following files: + +- [docker/compose.manager-elastic.yml](../docker/compose.manager-elastic.yml): Docker Compose file. +- [elastic/logstash/pipeline/manager-to-elastic.conf](./logstash/pipeline/manager-to-elastic.conf): Logstash Pipeline configuration file. + +Check the files above for **credentials**, ports, and other configurations. + +| Service | Address | Credentials | +| ------------- | ---------------------- | --------------- | +| Wazuh Indexer | https://localhost:9200 | admin:admin | +| Elastic | https://localhost:9201 | elastic:elastic | +| Kibana | https://localhost:5602 | elastic:elastic | + +## Importing the dashboards + +The dashboards for Elastic are included in [dashboards.ndjson](./dashboards.ndjson). The steps to import them to Elastic are the following: + +- On Kibana, expand the left menu, and go to `Stack management`. +- Click on `Saved Objects`, select `Import`, click on the `Import` icon and browse the dashboard file. +- Click on Import and complete the process. + +Imported dashboards will appear in the `Dashboards` app on the left menu. diff --git a/integrations/elastic/dashboards.ndjson b/integrations/elastic/dashboards.ndjson new file mode 100644 index 0000000000000..a02f7704eb14e --- /dev/null +++ b/integrations/elastic/dashboards.ndjson @@ -0,0 +1,9 @@ +{"attributes":{"fieldAttrs":"{}","fieldFormatMap":"{}","fields":"[]","name":"wazuh-alerts-4.x-*","runtimeFieldMap":"{}","sourceFilters":"[]","timeFieldName":"timestamp","title":"wazuh-alerts-4.x-*","typeMeta":"{}"},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T17:17:45.191Z","id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","migrationVersion":{"index-pattern":"8.0.0"},"references":[],"type":"index-pattern","updated_at":"2023-04-24T17:17:45.191Z","version":"WzI1MSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":7,\"y\":0,\"w\":8,\"h\":5,\"i\":\"9931cceb-51f1-4e47-bd26-491e7a624592\"},\"panelIndex\":\"9931cceb-51f1-4e47-bd26-491e7a624592\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-1dc5f9b1-9f0c-458b-98e6-e92708af5b9d\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"b9624937-542e-4ac9-9f09-ae532ade3311\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"1dc5f9b1-9f0c-458b-98e6-e92708af5b9d\",\"accessor\":\"df19010a-26e5-446d-9d74-56fe2495e38b\",\"layerType\":\"data\",\"textAlign\":\"center\",\"size\":\"xxl\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#db5871\",\"stop\":2}],\"colorStops\":[{\"color\":\"#db5871\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"b9624937-542e-4ac9-9f09-ae532ade3311\",\"type\":\"exists\",\"key\":\"data.vulnerability.severity\",\"value\":\"exists\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"data.vulnerability.severity\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1dc5f9b1-9f0c-458b-98e6-e92708af5b9d\":{\"columns\":{\"df19010a-26e5-446d-9d74-56fe2495e38b\":{\"label\":\"Critical Severity Alerts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":false,\"filter\":{\"query\":\"data.vulnerability.severity : \\\"Critical\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df19010a-26e5-446d-9d74-56fe2495e38b\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":8,\"h\":5,\"i\":\"a0b05cdd-c4b5-46b0-af2e-32253bd965e6\"},\"panelIndex\":\"a0b05cdd-c4b5-46b0-af2e-32253bd965e6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-fd6049b6-e52c-449e-9775-ded5ac1eac15\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"fd6049b6-e52c-449e-9775-ded5ac1eac15\",\"accessor\":\"2ce8bbeb-74d7-4e28-b616-6edd33c1f981\",\"layerType\":\"data\",\"textAlign\":\"center\",\"size\":\"xxl\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#0c5da3\",\"stop\":2}],\"colorStops\":[{\"color\":\"#0c5da3\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"fd6049b6-e52c-449e-9775-ded5ac1eac15\":{\"columns\":{\"2ce8bbeb-74d7-4e28-b616-6edd33c1f981\":{\"label\":\"Hight Severity Alerts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":false,\"filter\":{\"query\":\"data.vulnerability.severity : \\\"High\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2ce8bbeb-74d7-4e28-b616-6edd33c1f981\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":0,\"w\":9,\"h\":5,\"i\":\"b22f2aba-370b-40f2-8f30-c7175fd21d84\"},\"panelIndex\":\"b22f2aba-370b-40f2-8f30-c7175fd21d84\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-a8774fa0-5ae6-4746-94bd-cd21a0210641\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"a8774fa0-5ae6-4746-94bd-cd21a0210641\",\"accessor\":\"b7764bb5-540b-4183-a8c5-e9e856e48949\",\"layerType\":\"data\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#007d73\",\"stop\":2}],\"colorStops\":[{\"color\":\"#007d73\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"textAlign\":\"center\",\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a8774fa0-5ae6-4746-94bd-cd21a0210641\":{\"columns\":{\"b7764bb5-540b-4183-a8c5-e9e856e48949\":{\"label\":\"Medium Severity Alerts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":false,\"filter\":{\"query\":\"data.vulnerability.severity : \\\"Medium\\\" \",\"language\":\"kuery\"},\"reducedTimeRange\":\"\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"b7764bb5-540b-4183-a8c5-e9e856e48949\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":0,\"w\":9,\"h\":5,\"i\":\"dad9436c-6a56-47cc-a52a-065c86d64c7f\"},\"panelIndex\":\"dad9436c-6a56-47cc-a52a-065c86d64c7f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-a397e361-0b6a-4d18-b957-2afce890f6c3\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"a532bc3a-2caf-4353-9a37-17d4fb373b0d\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"a397e361-0b6a-4d18-b957-2afce890f6c3\",\"accessor\":\"c0f27509-4ce0-4eca-94c5-e1eddfc176e9\",\"layerType\":\"data\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#222222\",\"stop\":2}],\"colorStops\":[{\"color\":\"#222222\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"textAlign\":\"center\",\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"a532bc3a-2caf-4353-9a37-17d4fb373b0d\",\"alias\":\"data.vulnerability.severity : \\\"Low\\\" \",\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"bool\\\":{\\\"must\\\":[],\\\"filter\\\":[{\\\"bool\\\":{\\\"should\\\":[{\\\"term\\\":{\\\"data.vulnerability.severity\\\":\\\"Low\\\"}}],\\\"minimum_should_match\\\":1}}],\\\"should\\\":[],\\\"must_not\\\":[]}}\",\"disabled\":false,\"negate\":false},\"query\":{\"bool\":{\"must\":[],\"filter\":[{\"bool\":{\"should\":[{\"term\":{\"data.vulnerability.severity\":\"Low\"}}],\"minimum_should_match\":1}}],\"should\":[],\"must_not\":[]}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a397e361-0b6a-4d18-b957-2afce890f6c3\":{\"columns\":{\"c0f27509-4ce0-4eca-94c5-e1eddfc176e9\":{\"label\":\"Low Severity Alerts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":false,\"filter\":{\"query\":\"data.vulnerability.severity : \\\"Low\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"c0f27509-4ce0-4eca-94c5-e1eddfc176e9\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":5,\"w\":25,\"h\":14,\"i\":\"8fe06d85-091b-47aa-a809-aae9150a3314\"},\"panelIndex\":\"8fe06d85-091b-47aa-a809-aae9150a3314\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-47832b00-8a1a-4d99-8631-89379474c236\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"curveType\":\"CURVE_MONOTONE_X\",\"fillOpacity\":1,\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"area_stacked\",\"layers\":[{\"layerId\":\"47832b00-8a1a-4d99-8631-89379474c236\",\"accessors\":[\"32448531-8094-4131-89c9-38ed77a620ec\"],\"position\":\"top\",\"seriesType\":\"area_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"yConfig\":[{\"forAccessor\":\"32448531-8094-4131-89c9-38ed77a620ec\",\"axisMode\":\"auto\"}],\"xAccessor\":\"f20c7be6-a511-4b95-be88-6de506dbf1d8\",\"splitAccessor\":\"526e79e6-d985-4fc0-b5f3-ec87f5d24b83\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"47832b00-8a1a-4d99-8631-89379474c236\":{\"columns\":{\"526e79e6-d985-4fc0-b5f3-ec87f5d24b83\":{\"label\":\"Top 5 values of data.vulnerability.severity\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"32448531-8094-4131-89c9-38ed77a620ec\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"f20c7be6-a511-4b95-be88-6de506dbf1d8\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"3h\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"32448531-8094-4131-89c9-38ed77a620ec\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"526e79e6-d985-4fc0-b5f3-ec87f5d24b83\",\"f20c7be6-a511-4b95-be88-6de506dbf1d8\",\"32448531-8094-4131-89c9-38ed77a620ec\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Alert severity\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":25,\"y\":5,\"w\":23,\"h\":14,\"i\":\"680cfedf-a868-4de2-8173-897f4df7f6d7\"},\"panelIndex\":\"680cfedf-a868-4de2-8173-897f4df7f6d7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsHeatmap\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-6f9a4ce5-1395-4bc6-9dd6-0a8c130e9d8a\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"heatmap\",\"layerId\":\"6f9a4ce5-1395-4bc6-9dd6-0a8c130e9d8a\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"position\":\"right\",\"type\":\"heatmap_legend\"},\"gridConfig\":{\"type\":\"heatmap_grid\",\"isCellLabelVisible\":false,\"isYAxisLabelVisible\":true,\"isXAxisLabelVisible\":true,\"isYAxisTitleVisible\":false,\"isXAxisTitleVisible\":true,\"yTitle\":\"\"},\"valueAccessor\":\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\",\"yAccessor\":\"6fcc771b-b4e8-4684-80da-49b7b897dc24\",\"xAccessor\":\"e8d69708-c954-444b-a94f-9eb1befd3197\",\"palette\":{\"type\":\"palette\",\"name\":\"positive\",\"params\":{\"name\":\"positive\",\"continuity\":\"above\",\"reverse\":false,\"stops\":[{\"color\":\"#d6e9e4\",\"stop\":0},{\"color\":\"#aed3ca\",\"stop\":20},{\"color\":\"#85bdb1\",\"stop\":40},{\"color\":\"#5aa898\",\"stop\":60},{\"color\":\"#209280\",\"stop\":80}],\"rangeMin\":0,\"rangeMax\":null},\"accessor\":\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\"}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6f9a4ce5-1395-4bc6-9dd6-0a8c130e9d8a\":{\"columns\":{\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":false},\"6fcc771b-b4e8-4684-80da-49b7b897dc24\":{\"label\":\"Top 3 values of data.vulnerability.severity\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":false},\"e8d69708-c954-444b-a94f-9eb1befd3197\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"6fcc771b-b4e8-4684-80da-49b7b897dc24\",\"e8d69708-c954-444b-a94f-9eb1befd3197\",\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Vulnerabilities heat map\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":14,\"i\":\"5a8626af-2bc4-4317-ad7f-20622c16db0a\"},\"panelIndex\":\"5a8626af-2bc4-4317-ad7f-20622c16db0a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-d94ddf3d-d285-450e-aba4-46057df55fb7\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"542028d8-117e-4ee0-ba25-3ff4475940aa\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"e26de584-b46b-474e-bcd4-11bd37ff8e2e\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"1007fe8b-8a98-4b60-b8ef-93cd49227cd4\"},{\"isTransposed\":false,\"columnId\":\"ec84289b-cb43-4fae-9b94-7b17b696e4e0\"},{\"isTransposed\":false,\"columnId\":\"89ac7aeb-dfe3-449c-a109-6686a3610a4b\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\",\"hidden\":true},{\"columnId\":\"4732efcd-d7cd-4a02-8b03-c498b3bb637c\",\"isTransposed\":false},{\"columnId\":\"056be5db-ea40-4979-9985-8f0c73a8dcef\",\"isTransposed\":false}],\"layerId\":\"d94ddf3d-d285-450e-aba4-46057df55fb7\",\"layerType\":\"data\",\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d94ddf3d-d285-450e-aba4-46057df55fb7\":{\"columns\":{\"542028d8-117e-4ee0-ba25-3ff4475940aa\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"e26de584-b46b-474e-bcd4-11bd37ff8e2e\":{\"label\":\"data.vulnerability.cve\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.cve\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"1007fe8b-8a98-4b60-b8ef-93cd49227cd4\":{\"label\":\"data.vulnerability.package.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.package.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"ec84289b-cb43-4fae-9b94-7b17b696e4e0\":{\"label\":\"data.vulnerability.severity\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.package.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"89ac7aeb-dfe3-449c-a109-6686a3610a4b\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"4732efcd-d7cd-4a02-8b03-c498b3bb637c\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"056be5db-ea40-4979-9985-8f0c73a8dcef\":{\"label\":\"data.vulnerability.package.version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.package.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"4732efcd-d7cd-4a02-8b03-c498b3bb637c\",\"542028d8-117e-4ee0-ba25-3ff4475940aa\",\"e26de584-b46b-474e-bcd4-11bd37ff8e2e\",\"1007fe8b-8a98-4b60-b8ef-93cd49227cd4\",\"056be5db-ea40-4979-9985-8f0c73a8dcef\",\"ec84289b-cb43-4fae-9b94-7b17b696e4e0\",\"89ac7aeb-dfe3-449c-a109-6686a3610a4b\",\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Events\"}]","timeRestore":false,"title":"wazuh-vulnerabilities-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:37:41.475Z","id":"1e68dc60-e2b5-11ed-9db8-9f0e23f622c3","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"9931cceb-51f1-4e47-bd26-491e7a624592:indexpattern-datasource-layer-1dc5f9b1-9f0c-458b-98e6-e92708af5b9d","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"9931cceb-51f1-4e47-bd26-491e7a624592:b9624937-542e-4ac9-9f09-ae532ade3311","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"a0b05cdd-c4b5-46b0-af2e-32253bd965e6:indexpattern-datasource-layer-fd6049b6-e52c-449e-9775-ded5ac1eac15","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"b22f2aba-370b-40f2-8f30-c7175fd21d84:indexpattern-datasource-layer-a8774fa0-5ae6-4746-94bd-cd21a0210641","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"dad9436c-6a56-47cc-a52a-065c86d64c7f:indexpattern-datasource-layer-a397e361-0b6a-4d18-b957-2afce890f6c3","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"dad9436c-6a56-47cc-a52a-065c86d64c7f:a532bc3a-2caf-4353-9a37-17d4fb373b0d","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"8fe06d85-091b-47aa-a809-aae9150a3314:indexpattern-datasource-layer-47832b00-8a1a-4d99-8631-89379474c236","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"680cfedf-a868-4de2-8173-897f4df7f6d7:indexpattern-datasource-layer-6f9a4ce5-1395-4bc6-9dd6-0a8c130e9d8a","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"5a8626af-2bc4-4317-ad7f-20622c16db0a:indexpattern-datasource-layer-d94ddf3d-d285-450e-aba4-46057df55fb7","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:37:41.475Z","version":"WzQ3OSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":5,\"i\":\"c90b5ced-c476-4336-8248-5f5eee09b7d3\"},\"panelIndex\":\"c90b5ced-c476-4336-8248-5f5eee09b7d3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-f7d51ed1-e2c7-4eff-a2f0-426523a27b79\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"f7d51ed1-e2c7-4eff-a2f0-426523a27b79\",\"accessor\":\"bba216ab-0609-4fc7-9f00-3f95df7bd9e5\",\"layerType\":\"data\",\"textAlign\":\"center\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#1E75B6\",\"stop\":300}],\"colorStops\":[{\"color\":\"#1E75B6\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f7d51ed1-e2c7-4eff-a2f0-426523a27b79\":{\"columns\":{\"bba216ab-0609-4fc7-9f00-3f95df7bd9e5\":{\"label\":\"Total\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"bba216ab-0609-4fc7-9f00-3f95df7bd9e5\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":16,\"y\":0,\"w\":8,\"h\":5,\"i\":\"dc864252-a518-4187-80ca-b581ad14f1cb\"},\"panelIndex\":\"dc864252-a518-4187-80ca-b581ad14f1cb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-a63a4df1-6335-4d1e-a8fb-44d550e0513b\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"4cd727d8-200d-4869-b702-ff540bd3ff56\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"a63a4df1-6335-4d1e-a8fb-44d550e0513b\",\"accessor\":\"65d5d9ac-208b-4393-b498-12f4351445bd\",\"layerType\":\"data\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#e57488\",\"stop\":8}],\"colorStops\":[{\"color\":\"#e57488\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"textAlign\":\"center\",\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"4cd727d8-200d-4869-b702-ff540bd3ff56\",\"alias\":\"rule.level >= 12\",\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"bool\\\":{\\\"must\\\":[],\\\"filter\\\":[{\\\"bool\\\":{\\\"should\\\":[{\\\"range\\\":{\\\"rule.level\\\":{\\\"gte\\\":\\\"12\\\"}}}],\\\"minimum_should_match\\\":1}}],\\\"should\\\":[],\\\"must_not\\\":[]}}\",\"disabled\":false,\"negate\":false},\"query\":{\"bool\":{\"must\":[],\"filter\":[{\"bool\":{\"should\":[{\"range\":{\"rule.level\":{\"gte\":\"12\"}}}],\"minimum_should_match\":1}}],\"should\":[],\"must_not\":[]}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a63a4df1-6335-4d1e-a8fb-44d550e0513b\":{\"columns\":{\"65d5d9ac-208b-4393-b498-12f4351445bd\":{\"label\":\"Level 12 or above alerts\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.level >= 12\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"65d5d9ac-208b-4393-b498-12f4351445bd\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":0,\"w\":8,\"h\":5,\"i\":\"4bab10c4-2a6d-4f8f-8094-323581c98950\"},\"panelIndex\":\"4bab10c4-2a6d-4f8f-8094-323581c98950\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-28318134-b7bd-4faa-b21e-b0a6665b526f\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"1b7728c2-28d0-40f9-81ed-74e77231242c\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"28318134-b7bd-4faa-b21e-b0a6665b526f\",\"accessor\":\"e1a6a50b-cffe-4c92-b756-bad658aee97d\",\"layerType\":\"data\",\"textAlign\":\"center\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#d4458d\",\"stop\":4}],\"colorStops\":[{\"color\":\"#d4458d\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"1b7728c2-28d0-40f9-81ed-74e77231242c\",\"alias\":\"rule.groups : \\\"authentication_failed\\\" or \\\"win_authentication_failed\\\" or \\\"authentication_failures\\\"\",\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"bool\\\":{\\\"must\\\":[],\\\"filter\\\":[{\\\"bool\\\":{\\\"should\\\":[{\\\"bool\\\":{\\\"should\\\":[{\\\"term\\\":{\\\"rule.groups\\\":\\\"authentication_failed\\\"}}],\\\"minimum_should_match\\\":1}},{\\\"multi_match\\\":{\\\"type\\\":\\\"phrase\\\",\\\"query\\\":\\\"win_authentication_failed\\\",\\\"lenient\\\":true}},{\\\"multi_match\\\":{\\\"type\\\":\\\"phrase\\\",\\\"query\\\":\\\"authentication_failures\\\",\\\"lenient\\\":true}}],\\\"minimum_should_match\\\":1}}],\\\"should\\\":[],\\\"must_not\\\":[]}}\",\"disabled\":false,\"negate\":false},\"query\":{\"bool\":{\"must\":[],\"filter\":[{\"bool\":{\"should\":[{\"bool\":{\"should\":[{\"term\":{\"rule.groups\":\"authentication_failed\"}}],\"minimum_should_match\":1}},{\"multi_match\":{\"type\":\"phrase\",\"query\":\"win_authentication_failed\",\"lenient\":true}},{\"multi_match\":{\"type\":\"phrase\",\"query\":\"authentication_failures\",\"lenient\":true}}],\"minimum_should_match\":1}}],\"should\":[],\"must_not\":[]}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"28318134-b7bd-4faa-b21e-b0a6665b526f\":{\"columns\":{\"e1a6a50b-cffe-4c92-b756-bad658aee97d\":{\"label\":\"Athentication failure\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"rule.groups\",\"isBucketed\":false,\"filter\":{\"query\":\"rule.groups : \\\"authentication_failed\\\" or \\\"win_authentication_failed\\\" or \\\"authentication_failures\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"e1a6a50b-cffe-4c92-b756-bad658aee97d\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":0,\"w\":8,\"h\":5,\"i\":\"3cc5e7d4-2f44-438e-8529-6dfae4e29b16\"},\"panelIndex\":\"3cc5e7d4-2f44-438e-8529-6dfae4e29b16\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-67c3da39-aad2-4ff4-812f-15cf135b2d12\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"933a08d4-fd4c-4829-938c-df17bc87af15\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"67c3da39-aad2-4ff4-812f-15cf135b2d12\",\"accessor\":\"ea00d671-3e3a-434a-8813-1dfa3a023112\",\"layerType\":\"data\",\"textAlign\":\"center\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#1a938a\",\"stop\":2}],\"colorStops\":[{\"color\":\"#1a938a\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"933a08d4-fd4c-4829-938c-df17bc87af15\",\"type\":\"exists\",\"key\":\"rule.groups\",\"value\":\"exists\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"rule.groups\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"67c3da39-aad2-4ff4-812f-15cf135b2d12\":{\"columns\":{\"ea00d671-3e3a-434a-8813-1dfa3a023112\":{\"label\":\"Authentication success\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"rule.groups\",\"isBucketed\":false,\"filter\":{\"query\":\"rule.groups: \\\"authentication_success\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ea00d671-3e3a-434a-8813-1dfa3a023112\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":5,\"w\":32,\"h\":14,\"i\":\"fc1f8b94-2637-4f4d-a998-f6a59c6b9e7e\"},\"panelIndex\":\"fc1f8b94-2637-4f4d-a998-f6a59c6b9e7e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-e8600050-5477-49a7-a28e-ce9a47ded5f5\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"e8600050-5477-49a7-a28e-ce9a47ded5f5\",\"accessors\":[\"8d76d731-1e09-4706-b3d9-48108dd7dd32\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"splitAccessor\":\"3f2d0dea-171c-41ed-9452-29106c10a968\",\"xAccessor\":\"c5296771-93c8-48cb-bf57-cad19d8c829e\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"e8600050-5477-49a7-a28e-ce9a47ded5f5\":{\"columns\":{\"8d76d731-1e09-4706-b3d9-48108dd7dd32\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"c5296771-93c8-48cb-bf57-cad19d8c829e\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"3f2d0dea-171c-41ed-9452-29106c10a968\":{\"label\":\"Top 5 values of agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8d76d731-1e09-4706-b3d9-48108dd7dd32\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"3f2d0dea-171c-41ed-9452-29106c10a968\",\"c5296771-93c8-48cb-bf57-cad19d8c829e\",\"8d76d731-1e09-4706-b3d9-48108dd7dd32\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Alerts evolution - Top 5 agents\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":5,\"w\":16,\"h\":14,\"i\":\"e35f33d0-784d-471a-842e-576523d0ca80\"},\"panelIndex\":\"e35f33d0-784d-471a-842e-576523d0ca80\",\"embeddableConfig\":{\"attributes\":{\"title\":\"Top Mitre\",\"description\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-d2ef6c07-620f-431e-85f2-77175187e0fe\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"pie\",\"layers\":[{\"layerId\":\"d2ef6c07-620f-431e-85f2-77175187e0fe\",\"primaryGroups\":[\"a676e778-cad9-431e-b520-3e87b3a0afb2\"],\"metrics\":[\"c2640e02-f544-4f25-a0a4-aaec8e9e2f47\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.3,\"legendSize\":\"xlarge\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d2ef6c07-620f-431e-85f2-77175187e0fe\":{\"columns\":{\"a676e778-cad9-431e-b520-3e87b3a0afb2\":{\"label\":\"Top 5 values of rule.mitre.tactic\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.tactic\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"c2640e02-f544-4f25-a0a4-aaec8e9e2f47\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"c2640e02-f544-4f25-a0a4-aaec8e9e2f47\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"a676e778-cad9-431e-b520-3e87b3a0afb2\",\"c2640e02-f544-4f25-a0a4-aaec8e9e2f47\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Top Mitre ATT&K tactics\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":15,\"i\":\"ee6f5f4c-2a18-4733-a593-23c1f2a24376\"},\"panelIndex\":\"ee6f5f4c-2a18-4733-a593-23c1f2a24376\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-f001be29-b6cc-4c99-8aae-5941a7f9a8ee\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"72a21fae-312d-4cbb-8a94-fa24d4b29933\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"884cc56d-feb1-40dd-89a9-e006ec72dd85\"},{\"isTransposed\":false,\"columnId\":\"5333b889-bfc5-4e1a-a4e3-54828d1dd91b\"},{\"isTransposed\":false,\"columnId\":\"b3369c71-8edb-4569-89df-883f23ea2785\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\",\"hidden\":true,\"colorMode\":\"none\"},{\"columnId\":\"6bb85b4f-0834-416d-8ade-49d83caac7ee\",\"isTransposed\":false,\"oneClickFilter\":false},{\"columnId\":\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\",\"isTransposed\":false},{\"columnId\":\"c74264a6-eb65-4232-9444-a503723c6fdf\",\"isTransposed\":false,\"oneClickFilter\":true}],\"layerId\":\"f001be29-b6cc-4c99-8aae-5941a7f9a8ee\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f001be29-b6cc-4c99-8aae-5941a7f9a8ee\":{\"columns\":{\"72a21fae-312d-4cbb-8a94-fa24d4b29933\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"884cc56d-feb1-40dd-89a9-e006ec72dd85\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"5333b889-bfc5-4e1a-a4e3-54828d1dd91b\":{\"label\":\"rule.mitre.tactic\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.tactic\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"b3369c71-8edb-4569-89df-883f23ea2785\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"233f059c-ccd6-4a64-a6be-4961a3c4d500\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"6bb85b4f-0834-416d-8ade-49d83caac7ee\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"}},\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"c74264a6-eb65-4232-9444-a503723c6fdf\":{\"label\":\"rule.mitre.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\",\"72a21fae-312d-4cbb-8a94-fa24d4b29933\",\"c74264a6-eb65-4232-9444-a503723c6fdf\",\"5333b889-bfc5-4e1a-a4e3-54828d1dd91b\",\"884cc56d-feb1-40dd-89a9-e006ec72dd85\",\"6bb85b4f-0834-416d-8ade-49d83caac7ee\",\"b3369c71-8edb-4569-89df-883f23ea2785\",\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Security alerts\"}]","timeRestore":false,"title":"wazuh-security-events-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:37:25.862Z","id":"1002c610-a23f-11ed-9c45-1d7f2cbf4bd8","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"c90b5ced-c476-4336-8248-5f5eee09b7d3:indexpattern-datasource-layer-f7d51ed1-e2c7-4eff-a2f0-426523a27b79","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"dc864252-a518-4187-80ca-b581ad14f1cb:indexpattern-datasource-layer-a63a4df1-6335-4d1e-a8fb-44d550e0513b","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"dc864252-a518-4187-80ca-b581ad14f1cb:4cd727d8-200d-4869-b702-ff540bd3ff56","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"4bab10c4-2a6d-4f8f-8094-323581c98950:indexpattern-datasource-layer-28318134-b7bd-4faa-b21e-b0a6665b526f","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"4bab10c4-2a6d-4f8f-8094-323581c98950:1b7728c2-28d0-40f9-81ed-74e77231242c","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"3cc5e7d4-2f44-438e-8529-6dfae4e29b16:indexpattern-datasource-layer-67c3da39-aad2-4ff4-812f-15cf135b2d12","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"3cc5e7d4-2f44-438e-8529-6dfae4e29b16:933a08d4-fd4c-4829-938c-df17bc87af15","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"fc1f8b94-2637-4f4d-a998-f6a59c6b9e7e:indexpattern-datasource-layer-e8600050-5477-49a7-a28e-ce9a47ded5f5","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"e35f33d0-784d-471a-842e-576523d0ca80:indexpattern-datasource-layer-d2ef6c07-620f-431e-85f2-77175187e0fe","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"ee6f5f4c-2a18-4733-a593-23c1f2a24376:indexpattern-datasource-layer-f001be29-b6cc-4c99-8aae-5941a7f9a8ee","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:37:25.862Z","version":"WzQ3MiwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":29,\"h\":15,\"i\":\"976e6302-500a-427c-bd29-75cee9034fe6\"},\"panelIndex\":\"976e6302-500a-427c-bd29-75cee9034fe6\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"PCI DSS requirements\",\"description\":\"\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{},\"style\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"},\"style\":{}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":0,\"showCircles\":true,\"circlesRadius\":10,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"detailedTooltip\":true,\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"addLegend\":true,\"legendPosition\":\"right\",\"fittingFunction\":\"linear\",\"times\":[],\"addTimeMarker\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"radiusRatio\":9,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}},\"uiState\":{},\"data\":{\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-10w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"extendToTimeRange\":false,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"1d\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.pci_dss\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true},\"schema\":\"group\"}],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":15,\"i\":\"d299d776-0b4f-4955-b7d6-5717119dba59\"},\"panelIndex\":\"d299d776-0b4f-4955-b7d6-5717119dba59\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-c85ec231-a4fc-495d-b8d6-1aad7dc1e489\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"c85ec231-a4fc-495d-b8d6-1aad7dc1e489\",\"accessors\":[\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"e17436ee-06c3-4b4e-acda-f8d379648407\",\"splitAccessor\":\"852bf376-24f0-4b54-8568-0964c3289eb4\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c85ec231-a4fc-495d-b8d6-1aad7dc1e489\":{\"columns\":{\"e17436ee-06c3-4b4e-acda-f8d379648407\":{\"label\":\"Requirements\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.pci_dss\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"852bf376-24f0-4b54-8568-0964c3289eb4\":{\"label\":\"Top 5 values of agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"e17436ee-06c3-4b4e-acda-f8d379648407\",\"852bf376-24f0-4b54-8568-0964c3289eb4\",\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Requirements by agent\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":15,\"w\":48,\"h\":17,\"i\":\"f3674cc2-b4c6-44e1-baa9-6dcb9b932a01\"},\"panelIndex\":\"f3674cc2-b4c6-44e1-baa9-6dcb9b932a01\",\"embeddableConfig\":{\"attributes\":{\"title\":\"PCI DSS\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-951964d6-a0d3-4593-911f-b598f1bdd7a6\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"951964d6-a0d3-4593-911f-b598f1bdd7a6\",\"layerType\":\"data\",\"columns\":[{\"isTransposed\":false,\"columnId\":\"27ae8c68-e64e-4824-9422-df1611b74c58\"},{\"isTransposed\":false,\"columnId\":\"30508bd4-917e-4614-9922-c445af8e8a8f\"},{\"isTransposed\":false,\"columnId\":\"7044d45a-dce5-4fbe-8af4-64a9b1e14840\"},{\"isTransposed\":false,\"columnId\":\"49885e99-2da3-4165-9b20-9d78ccaca4bd\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"df70835d-3cfb-4ead-a942-d60c00330c30\"},{\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"f96a237b-410c-475c-863e-60acde29fc71\",\"isTransposed\":false,\"oneClickFilter\":true}],\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"951964d6-a0d3-4593-911f-b598f1bdd7a6\":{\"columns\":{\"27ae8c68-e64e-4824-9422-df1611b74c58\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"30508bd4-917e-4614-9922-c445af8e8a8f\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"7044d45a-dce5-4fbe-8af4-64a9b1e14840\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"49885e99-2da3-4165-9b20-9d78ccaca4bd\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"df70835d-3cfb-4ead-a942-d60c00330c30\":{\"label\":\"rule.pci_dss\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.pci_dss\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"f96a237b-410c-475c-863e-60acde29fc71\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"7044d45a-dce5-4fbe-8af4-64a9b1e14840\",\"49885e99-2da3-4165-9b20-9d78ccaca4bd\",\"df70835d-3cfb-4ead-a942-d60c00330c30\",\"27ae8c68-e64e-4824-9422-df1611b74c58\",\"30508bd4-917e-4614-9922-c445af8e8a8f\",\"f96a237b-410c-475c-863e-60acde29fc71\",\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Recent events\"}]","timeRestore":false,"title":"wazuh-pci-dss-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:37:10.201Z","id":"ad09bc40-a634-11ed-8b0e-91d62e747cc9","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"976e6302-500a-427c-bd29-75cee9034fe6:kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"d299d776-0b4f-4955-b7d6-5717119dba59:indexpattern-datasource-layer-c85ec231-a4fc-495d-b8d6-1aad7dc1e489","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"f3674cc2-b4c6-44e1-baa9-6dcb9b932a01:indexpattern-datasource-layer-951964d6-a0d3-4593-911f-b598f1bdd7a6","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:37:10.201Z","version":"WzQ2NSwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":18,\"h\":13,\"i\":\"847a1b06-c15d-41a2-9a08-73b056e959fb\"},\"panelIndex\":\"847a1b06-c15d-41a2-9a08-73b056e959fb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-0c3e7889-e551-4507-bb13-1a4ff7d96f96\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"curveType\":\"LINEAR\",\"fillOpacity\":1,\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"area_stacked\",\"layers\":[{\"layerId\":\"0c3e7889-e551-4507-bb13-1a4ff7d96f96\",\"accessors\":[\"9b7ab5ea-5a4d-4fc1-a493-861ed613bfdb\"],\"position\":\"top\",\"seriesType\":\"area_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"f4e6f4ad-fca2-4012-9dc4-a34df1d4a5ec\",\"yConfig\":[{\"forAccessor\":\"9b7ab5ea-5a4d-4fc1-a493-861ed613bfdb\",\"color\":\"#40d4e0\"}]}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"0c3e7889-e551-4507-bb13-1a4ff7d96f96\":{\"columns\":{\"f4e6f4ad-fca2-4012-9dc4-a34df1d4a5ec\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"9b7ab5ea-5a4d-4fc1-a493-861ed613bfdb\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"rootcheck\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"f4e6f4ad-fca2-4012-9dc4-a34df1d4a5ec\",\"9b7ab5ea-5a4d-4fc1-a493-861ed613bfdb\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Emotet malware activity\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":18,\"y\":0,\"w\":30,\"h\":13,\"i\":\"cc5ad74e-c871-4ac3-9487-328adc286921\"},\"panelIndex\":\"cc5ad74e-c871-4ac3-9487-328adc286921\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-5ccb00b3-1675-4c9f-a542-927c5930e66e\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"5ccb00b3-1675-4c9f-a542-927c5930e66e\",\"accessors\":[\"f001735e-ca2b-455d-a50a-b7f44b005f0b\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"b662da8a-50ee-4dae-a2bb-25861753d95c\",\"splitAccessor\":\"52edc505-8c8a-4965-a3f3-46ca861738af\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"5ccb00b3-1675-4c9f-a542-927c5930e66e\":{\"columns\":{\"52edc505-8c8a-4965-a3f3-46ca861738af\":{\"label\":\"Top 5 values of data.title\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.title\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f001735e-ca2b-455d-a50a-b7f44b005f0b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]}},\"b662da8a-50ee-4dae-a2bb-25861753d95c\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"f001735e-ca2b-455d-a50a-b7f44b005f0b\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"rootcheck\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"52edc505-8c8a-4965-a3f3-46ca861738af\",\"b662da8a-50ee-4dae-a2bb-25861753d95c\",\"f001735e-ca2b-455d-a50a-b7f44b005f0b\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Rootkits activity over time\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":21,\"i\":\"e3873842-502a-4ba4-a3ab-d5bcdc9d908c\"},\"panelIndex\":\"e3873842-502a-4ba4-a3ab-d5bcdc9d908c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-777017d9-58d0-4f3f-8461-64af784d41a4\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"56e30fec-0d21-4af5-9751-7630c08713e8\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"94ca03f4-c063-4be7-b4c1-007c8a6d271a\"},{\"isTransposed\":false,\"columnId\":\"1169cee0-a32f-48d2-8e12-2919736d710a\"},{\"isTransposed\":false,\"columnId\":\"23107287-fb86-49ea-bdea-79d55b5e7ea4\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"125edb0b-de81-41b8-9612-1d87188e2b12\"},{\"isTransposed\":false,\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\",\"hidden\":true},{\"columnId\":\"694278f2-f767-4450-90f5-4a95905e989f\",\"isTransposed\":false},{\"columnId\":\"1073b1b6-aa33-4e11-841b-0b6459a56603\",\"isTransposed\":false}],\"layerId\":\"777017d9-58d0-4f3f-8461-64af784d41a4\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"777017d9-58d0-4f3f-8461-64af784d41a4\":{\"columns\":{\"56e30fec-0d21-4af5-9751-7630c08713e8\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"94ca03f4-c063-4be7-b4c1-007c8a6d271a\":{\"label\":\"rule.mitre.technique\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.technique\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"1169cee0-a32f-48d2-8e12-2919736d710a\":{\"label\":\"rule.mitre.tactic\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.tactic\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"23107287-fb86-49ea-bdea-79d55b5e7ea4\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"125edb0b-de81-41b8-9612-1d87188e2b12\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a1caa30b-78e1-493d-bb05-f29242d47609\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"rootcheck\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"694278f2-f767-4450-90f5-4a95905e989f\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"1073b1b6-aa33-4e11-841b-0b6459a56603\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"694278f2-f767-4450-90f5-4a95905e989f\",\"56e30fec-0d21-4af5-9751-7630c08713e8\",\"94ca03f4-c063-4be7-b4c1-007c8a6d271a\",\"1169cee0-a32f-48d2-8e12-2919736d710a\",\"1073b1b6-aa33-4e11-841b-0b6459a56603\",\"23107287-fb86-49ea-bdea-79d55b5e7ea4\",\"125edb0b-de81-41b8-9612-1d87188e2b12\",\"a1caa30b-78e1-493d-bb05-f29242d47609\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Security alerts\"}]","timeRestore":false,"title":"wazuh-malware-detection-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:36:31.797Z","id":"f9bb41b0-a3cf-11ed-9187-5147a2b9eedf","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"847a1b06-c15d-41a2-9a08-73b056e959fb:indexpattern-datasource-layer-0c3e7889-e551-4507-bb13-1a4ff7d96f96","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"cc5ad74e-c871-4ac3-9487-328adc286921:indexpattern-datasource-layer-5ccb00b3-1675-4c9f-a542-927c5930e66e","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"e3873842-502a-4ba4-a3ab-d5bcdc9d908c:indexpattern-datasource-layer-777017d9-58d0-4f3f-8461-64af784d41a4","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:36:31.797Z","version":"WzQwNywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":15,\"h\":13,\"i\":\"caf3fb07-a3b0-4f51-b000-926f4b26ee4f\"},\"panelIndex\":\"caf3fb07-a3b0-4f51-b000-926f4b26ee4f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-3ef3cbb5-abf3-4697-9e38-f4cf60bcdd5d\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"3ef3cbb5-abf3-4697-9e38-f4cf60bcdd5d\",\"primaryGroups\":[\"ccea2153-9f5c-4f65-9346-1feceb3783eb\"],\"metrics\":[\"06ae1d26-0a3a-4f59-b5bd-8cb93b640f86\"],\"numberDisplay\":\"hidden\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.7,\"legendSize\":\"large\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3ef3cbb5-abf3-4697-9e38-f4cf60bcdd5d\":{\"columns\":{\"06ae1d26-0a3a-4f59-b5bd-8cb93b640f86\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"filter\":{\"query\":\"\",\"language\":\"kuery\"}},\"ccea2153-9f5c-4f65-9346-1feceb3783eb\":{\"label\":\"Top 5 values of rule.groups\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.groups\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"06ae1d26-0a3a-4f59-b5bd-8cb93b640f86\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"ccea2153-9f5c-4f65-9346-1feceb3783eb\",\"06ae1d26-0a3a-4f59-b5bd-8cb93b640f86\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Alert groups\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":33,\"h\":13,\"i\":\"115417e6-11a1-4a55-8055-220b69dad98e\"},\"panelIndex\":\"115417e6-11a1-4a55-8055-220b69dad98e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-54e72470-df75-47d1-a7a6-3d2f807a39d1\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":false,\"position\":\"right\",\"showSingleSeries\":false},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"54e72470-df75-47d1-a7a6-3d2f807a39d1\",\"accessors\":[\"db53a2e0-d936-4f7c-86bb-fc4e20810e64\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"f518cf1a-0d1d-44c7-97a0-12c5cd840e14\",\"splitAccessor\":\"a195fccb-9268-453a-b824-54f1e3f72d12\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"54e72470-df75-47d1-a7a6-3d2f807a39d1\":{\"columns\":{\"a195fccb-9268-453a-b824-54f1e3f72d12\":{\"label\":\"Top 5 values of rule.groups\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.groups\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"db53a2e0-d936-4f7c-86bb-fc4e20810e64\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"f518cf1a-0d1d-44c7-97a0-12c5cd840e14\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"db53a2e0-d936-4f7c-86bb-fc4e20810e64\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"audit\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"a195fccb-9268-453a-b824-54f1e3f72d12\",\"f518cf1a-0d1d-44c7-97a0-12c5cd840e14\",\"db53a2e0-d936-4f7c-86bb-fc4e20810e64\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":13,\"i\":\"edc2487b-0a85-4975-b841-457471ee5cd0\"},\"panelIndex\":\"edc2487b-0a85-4975-b841-457471ee5cd0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-f001be29-b6cc-4c99-8aae-5941a7f9a8ee\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"5f8c9137-f9b6-4074-ba6c-9fa777b6afdf\"},{\"columnId\":\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\",\"isTransposed\":false},{\"isTransposed\":false,\"columnId\":\"72a21fae-312d-4cbb-8a94-fa24d4b29933\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"884cc56d-feb1-40dd-89a9-e006ec72dd85\"},{\"columnId\":\"6bb85b4f-0834-416d-8ade-49d83caac7ee\",\"isTransposed\":false,\"oneClickFilter\":false},{\"isTransposed\":false,\"columnId\":\"b3369c71-8edb-4569-89df-883f23ea2785\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\",\"hidden\":true,\"colorMode\":\"none\"}],\"layerId\":\"f001be29-b6cc-4c99-8aae-5941a7f9a8ee\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f001be29-b6cc-4c99-8aae-5941a7f9a8ee\":{\"columns\":{\"5f8c9137-f9b6-4074-ba6c-9fa777b6afdf\":{\"label\":\"rule.groups\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.groups\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"72a21fae-312d-4cbb-8a94-fa24d4b29933\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"884cc56d-feb1-40dd-89a9-e006ec72dd85\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"6bb85b4f-0834-416d-8ade-49d83caac7ee\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"}},\"b3369c71-8edb-4569-89df-883f23ea2785\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"233f059c-ccd6-4a64-a6be-4961a3c4d500\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\",\"72a21fae-312d-4cbb-8a94-fa24d4b29933\",\"5f8c9137-f9b6-4074-ba6c-9fa777b6afdf\",\"884cc56d-feb1-40dd-89a9-e006ec72dd85\",\"6bb85b4f-0834-416d-8ade-49d83caac7ee\",\"b3369c71-8edb-4569-89df-883f23ea2785\",\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true},\"title\":\"Security alerts\"}]","timeRestore":false,"title":"wazuh-incident-response-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:36:14.435Z","id":"e30257a0-a641-11ed-8b0e-91d62e747cc9","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"caf3fb07-a3b0-4f51-b000-926f4b26ee4f:indexpattern-datasource-layer-3ef3cbb5-abf3-4697-9e38-f4cf60bcdd5d","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"115417e6-11a1-4a55-8055-220b69dad98e:indexpattern-datasource-layer-54e72470-df75-47d1-a7a6-3d2f807a39d1","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"edc2487b-0a85-4975-b841-457471ee5cd0:indexpattern-datasource-layer-f001be29-b6cc-4c99-8aae-5941a7f9a8ee","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:36:14.435Z","version":"WzQwMCwxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":12,\"i\":\"9c90478b-ef8d-4f0a-89ea-7cac2fb2b631\"},\"panelIndex\":\"9c90478b-ef8d-4f0a-89ea-7cac2fb2b631\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-b9d91550-4d81-4724-926b-368cbac70c5c\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"b9d91550-4d81-4724-926b-368cbac70c5c\",\"primaryGroups\":[\"393155df-15ed-400b-bef4-be554873a6c6\"],\"metrics\":[\"bc0afca3-aed2-4b22-970c-c91ac3e2bc02\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.7}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"b9d91550-4d81-4724-926b-368cbac70c5c\":{\"columns\":{\"393155df-15ed-400b-bef4-be554873a6c6\":{\"label\":\"Top 5 values of data.docker.Action\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Action\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"bc0afca3-aed2-4b22-970c-c91ac3e2bc02\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"bc0afca3-aed2-4b22-970c-c91ac3e2bc02\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"393155df-15ed-400b-bef4-be554873a6c6\",\"bc0afca3-aed2-4b22-970c-c91ac3e2bc02\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Top 5 events\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":14,\"y\":0,\"w\":34,\"h\":12,\"i\":\"ec92f542-1336-4a92-90e6-548fa7a78db6\"},\"panelIndex\":\"ec92f542-1336-4a92-90e6-548fa7a78db6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-45315f08-c693-4bdc-aa72-8546f280b2b2\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"45315f08-c693-4bdc-aa72-8546f280b2b2\",\"accessors\":[\"69651d63-8697-41d8-b639-5d77e806c90a\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"93ae869a-82d8-4825-9391-568728d510a7\",\"splitAccessor\":\"588460de-4d21-471e-922f-0b59d3ec977f\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"45315f08-c693-4bdc-aa72-8546f280b2b2\":{\"columns\":{\"93ae869a-82d8-4825-9391-568728d510a7\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"69651d63-8697-41d8-b639-5d77e806c90a\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"588460de-4d21-471e-922f-0b59d3ec977f\":{\"label\":\"Top 3 values of data.docker.Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Type\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"69651d63-8697-41d8-b639-5d77e806c90a\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"588460de-4d21-471e-922f-0b59d3ec977f\",\"93ae869a-82d8-4825-9391-568728d510a7\",\"69651d63-8697-41d8-b639-5d77e806c90a\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events by source over time\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":12,\"w\":48,\"h\":37,\"i\":\"cac9a63e-4892-4879-bd94-210fd3b5b3d0\"},\"panelIndex\":\"cac9a63e-4892-4879-bd94-210fd3b5b3d0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-c51272e9-4ceb-4095-a2a2-7d27d957fc4e\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"1cedf71d-5da2-423a-8108-0d28190dc1f2\",\"isTransposed\":false},{\"columnId\":\"09e332ce-350b-499a-8df5-9b15ed375c20\",\"isTransposed\":false,\"oneClickFilter\":true},{\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"655b8229-82ac-4302-a97c-a5b1778f22f9\",\"isTransposed\":false},{\"columnId\":\"c47bc042-54fd-4134-9cec-05f36c5c95e0\",\"isTransposed\":false},{\"columnId\":\"1bef96c9-5098-47db-9d76-2eba9c1cfd33\",\"isTransposed\":false},{\"columnId\":\"a61f2679-de38-4a5d-b105-dab5d341a400\",\"isTransposed\":false},{\"columnId\":\"f7109d3b-68d4-418c-b4c4-fe451858d375\",\"isTransposed\":false},{\"columnId\":\"28c7593f-f805-4cbd-afed-94dfdbde7d29\",\"isTransposed\":false,\"oneClickFilter\":true}],\"layerId\":\"c51272e9-4ceb-4095-a2a2-7d27d957fc4e\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c51272e9-4ceb-4095-a2a2-7d27d957fc4e\":{\"columns\":{\"1cedf71d-5da2-423a-8108-0d28190dc1f2\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"09e332ce-350b-499a-8df5-9b15ed375c20\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"e323b79e-be8f-458d-80b9-100d79e6fc3c\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"655b8229-82ac-4302-a97c-a5b1778f22f9\":{\"label\":\"data.docker.Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Type\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"c47bc042-54fd-4134-9cec-05f36c5c95e0\":{\"label\":\"data.docker.Action\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Action\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"1bef96c9-5098-47db-9d76-2eba9c1cfd33\":{\"label\":\"data.docker.Actor.ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Actor.ID\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a61f2679-de38-4a5d-b105-dab5d341a400\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f7109d3b-68d4-418c-b4c4-fe451858d375\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"}},\"28c7593f-f805-4cbd-afed-94dfdbde7d29\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"1cedf71d-5da2-423a-8108-0d28190dc1f2\",\"09e332ce-350b-499a-8df5-9b15ed375c20\",\"655b8229-82ac-4302-a97c-a5b1778f22f9\",\"1bef96c9-5098-47db-9d76-2eba9c1cfd33\",\"c47bc042-54fd-4134-9cec-05f36c5c95e0\",\"a61f2679-de38-4a5d-b105-dab5d341a400\",\"f7109d3b-68d4-418c-b4c4-fe451858d375\",\"28c7593f-f805-4cbd-afed-94dfdbde7d29\",\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events\"}]","timeRestore":false,"title":"wazuh-docker-listener-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:35:50.548Z","id":"8359c240-a7cf-11ed-8b0e-91d62e747cc9","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"9c90478b-ef8d-4f0a-89ea-7cac2fb2b631:indexpattern-datasource-layer-b9d91550-4d81-4724-926b-368cbac70c5c","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"ec92f542-1336-4a92-90e6-548fa7a78db6:indexpattern-datasource-layer-45315f08-c693-4bdc-aa72-8546f280b2b2","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"cac9a63e-4892-4879-bd94-210fd3b5b3d0:indexpattern-datasource-layer-c51272e9-4ceb-4095-a2a2-7d27d957fc4e","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:35:50.548Z","version":"WzM5MywxXQ=="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":31,\"h\":15,\"i\":\"5177564c-7c79-4412-9c03-99dca92b90d5\"},\"panelIndex\":\"5177564c-7c79-4412-9c03-99dca92b90d5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-bca83102-e00c-4277-b280-a91ef087536e\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"left\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"curveType\":\"CURVE_MONOTONE_X\",\"fillOpacity\":1,\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"area_stacked\",\"layers\":[{\"layerId\":\"bca83102-e00c-4277-b280-a91ef087536e\",\"accessors\":[\"80ac5cd7-4cfb-4c07-ad75-3cedb6212f18\"],\"position\":\"top\",\"seriesType\":\"area_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"4d2f8c1f-5ce3-449b-b0d7-f1d1989ba49e\",\"splitAccessor\":\"0e534aac-0aaf-4458-8d88-e2575fb2ebb9\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"bca83102-e00c-4277-b280-a91ef087536e\":{\"columns\":{\"0e534aac-0aaf-4458-8d88-e2575fb2ebb9\":{\"label\":\"Top 3 values of data.aws.source\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.aws.source\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"80ac5cd7-4cfb-4c07-ad75-3cedb6212f18\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]}},\"4d2f8c1f-5ce3-449b-b0d7-f1d1989ba49e\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"80ac5cd7-4cfb-4c07-ad75-3cedb6212f18\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"amazon\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"0e534aac-0aaf-4458-8d88-e2575fb2ebb9\",\"4d2f8c1f-5ce3-449b-b0d7-f1d1989ba49e\",\"80ac5cd7-4cfb-4c07-ad75-3cedb6212f18\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events by source over time\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":31,\"y\":0,\"w\":17,\"h\":15,\"i\":\"692e518d-0688-414b-92e8-6b2bf1b960dd\"},\"panelIndex\":\"692e518d-0688-414b-92e8-6b2bf1b960dd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-ecb05aff-bc9d-4ba1-b817-bf4016e0c5ef\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"ecb05aff-bc9d-4ba1-b817-bf4016e0c5ef\",\"primaryGroups\":[\"e81edf81-ce10-496b-8ca9-eb38d5ff2ccb\"],\"metrics\":[\"4a2c1031-e343-427d-b141-b47ccc7a570a\"],\"numberDisplay\":\"hidden\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.7}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ecb05aff-bc9d-4ba1-b817-bf4016e0c5ef\":{\"columns\":{\"e81edf81-ce10-496b-8ca9-eb38d5ff2ccb\":{\"label\":\"Top 5 values of data.aws.source\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.aws.source\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4a2c1031-e343-427d-b141-b47ccc7a570a\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]}},\"4a2c1031-e343-427d-b141-b47ccc7a570a\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"e81edf81-ce10-496b-8ca9-eb38d5ff2ccb\",\"4a2c1031-e343-427d-b141-b47ccc7a570a\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Sources\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":15,\"w\":48,\"h\":15,\"i\":\"25e0d536-4163-46e6-abd5-5cd45cd9f30a\"},\"panelIndex\":\"25e0d536-4163-46e6-abd5-5cd45cd9f30a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"e\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-c23cdcb3-1e5c-46f0-9ef2-827d9b867cb2\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"8882fc10-f772-4a02-af1f-049b59a04dfd\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"1835ff08-affb-403c-991e-8e642c7a5456\"},{\"isTransposed\":false,\"columnId\":\"6dce6ade-b342-4645-9ff2-228f319d69f7\"},{\"isTransposed\":false,\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\",\"hidden\":true},{\"columnId\":\"06b78908-beb7-4a01-a9b0-b7f9775318d9\",\"isTransposed\":false},{\"columnId\":\"ea992e31-8ea1-4548-8182-da51c911cf21\",\"isTransposed\":false},{\"columnId\":\"a8c6efd9-93b3-4636-96ea-43b359962134\",\"isTransposed\":false,\"oneClickFilter\":true}],\"layerId\":\"c23cdcb3-1e5c-46f0-9ef2-827d9b867cb2\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c23cdcb3-1e5c-46f0-9ef2-827d9b867cb2\":{\"columns\":{\"8882fc10-f772-4a02-af1f-049b59a04dfd\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"1835ff08-affb-403c-991e-8e642c7a5456\":{\"label\":\"data.aws.source\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.aws.source\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"6dce6ade-b342-4645-9ff2-228f319d69f7\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"f8266242-342d-4046-8bb5-90efe4839a60\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"06b78908-beb7-4a01-a9b0-b7f9775318d9\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"ea992e31-8ea1-4548-8182-da51c911cf21\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"}},\"a8c6efd9-93b3-4636-96ea-43b359962134\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"6dce6ade-b342-4645-9ff2-228f319d69f7\",\"8882fc10-f772-4a02-af1f-049b59a04dfd\",\"1835ff08-affb-403c-991e-8e642c7a5456\",\"06b78908-beb7-4a01-a9b0-b7f9775318d9\",\"ea992e31-8ea1-4548-8182-da51c911cf21\",\"a8c6efd9-93b3-4636-96ea-43b359962134\",\"f8266242-342d-4046-8bb5-90efe4839a60\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events\"}]","timeRestore":false,"title":"wazuh-amazon-aws-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:35:30.916Z","id":"ff5626e0-a63f-11ed-8b0e-91d62e747cc9","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"5177564c-7c79-4412-9c03-99dca92b90d5:indexpattern-datasource-layer-bca83102-e00c-4277-b280-a91ef087536e","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"692e518d-0688-414b-92e8-6b2bf1b960dd:indexpattern-datasource-layer-ecb05aff-bc9d-4ba1-b817-bf4016e0c5ef","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"25e0d536-4163-46e6-abd5-5cd45cd9f30a:indexpattern-datasource-layer-c23cdcb3-1e5c-46f0-9ef2-827d9b867cb2","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:35:30.916Z","version":"WzM1OCwxXQ=="} +{"excludedObjects":[],"excludedObjectsCount":0,"exportedCount":8,"missingRefCount":0,"missingReferences":[]} \ No newline at end of file diff --git a/integrations/elastic/logstash/pipeline/es_template.json b/integrations/elastic/logstash/pipeline/es_template.json new file mode 100644 index 0000000000000..050034e58ccd2 --- /dev/null +++ b/integrations/elastic/logstash/pipeline/es_template.json @@ -0,0 +1,2042 @@ +{ + "index_patterns": [ + "wazuh-alerts-4.x-*", + "wazuh-archives-4.x-*" + ], + "template": { + "settings": { + "index": { + "routing": { + "allocation": { + "include": { + "_tier_preference": "data_content" + } + } + }, + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "refresh_interval": "5s", + "number_of_shards": "3", + "auto_expand_replicas": "0-1", + "query": { + "default_field": [ + "GeoLocation.city_name", + "GeoLocation.continent_code", + "GeoLocation.country_code2", + "GeoLocation.country_code3", + "GeoLocation.country_name", + "GeoLocation.ip", + "GeoLocation.postal_code", + "GeoLocation.real_region_name", + "GeoLocation.region_name", + "GeoLocation.timezone", + "agent.id", + "agent.ip", + "agent.name", + "cluster.name", + "cluster.node", + "command", + "data", + "data.action", + "data.audit", + "data.audit.acct", + "data.audit.arch", + "data.audit.auid", + "data.audit.command", + "data.audit.cwd", + "data.audit.dev", + "data.audit.directory.inode", + "data.audit.directory.mode", + "data.audit.directory.name", + "data.audit.egid", + "data.audit.enforcing", + "data.audit.euid", + "data.audit.exe", + "data.audit.execve.a0", + "data.audit.execve.a1", + "data.audit.execve.a2", + "data.audit.execve.a3", + "data.audit.exit", + "data.audit.file.inode", + "data.audit.file.mode", + "data.audit.file.name", + "data.audit.fsgid", + "data.audit.fsuid", + "data.audit.gid", + "data.audit.id", + "data.audit.key", + "data.audit.list", + "data.audit.old-auid", + "data.audit.old-ses", + "data.audit.old_enforcing", + "data.audit.old_prom", + "data.audit.op", + "data.audit.pid", + "data.audit.ppid", + "data.audit.prom", + "data.audit.res", + "data.audit.session", + "data.audit.sgid", + "data.audit.srcip", + "data.audit.subj", + "data.audit.success", + "data.audit.suid", + "data.audit.syscall", + "data.audit.tty", + "data.audit.uid", + "data.aws.accountId", + "data.aws.account_id", + "data.aws.action", + "data.aws.actor", + "data.aws.aws_account_id", + "data.aws.description", + "data.aws.dstport", + "data.aws.errorCode", + "data.aws.errorMessage", + "data.aws.eventID", + "data.aws.eventName", + "data.aws.eventSource", + "data.aws.eventType", + "data.aws.id", + "data.aws.name", + "data.aws.requestParameters.accessKeyId", + "data.aws.requestParameters.bucketName", + "data.aws.requestParameters.gatewayId", + "data.aws.requestParameters.groupDescription", + "data.aws.requestParameters.groupId", + "data.aws.requestParameters.groupName", + "data.aws.requestParameters.host", + "data.aws.requestParameters.hostedZoneId", + "data.aws.requestParameters.instanceId", + "data.aws.requestParameters.instanceProfileName", + "data.aws.requestParameters.loadBalancerName", + "data.aws.requestParameters.loadBalancerPorts", + "data.aws.requestParameters.masterUserPassword", + "data.aws.requestParameters.masterUsername", + "data.aws.requestParameters.name", + "data.aws.requestParameters.natGatewayId", + "data.aws.requestParameters.networkAclId", + "data.aws.requestParameters.path", + "data.aws.requestParameters.policyName", + "data.aws.requestParameters.port", + "data.aws.requestParameters.stackId", + "data.aws.requestParameters.stackName", + "data.aws.requestParameters.subnetId", + "data.aws.requestParameters.subnetIds", + "data.aws.requestParameters.volumeId", + "data.aws.requestParameters.vpcId", + "data.aws.resource.accessKeyDetails.accessKeyId", + "data.aws.resource.accessKeyDetails.principalId", + "data.aws.resource.accessKeyDetails.userName", + "data.aws.resource.instanceDetails.instanceId", + "data.aws.resource.instanceDetails.instanceState", + "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.subnetId", + "data.aws.resource.instanceDetails.networkInterfaces.vpcId", + "data.aws.resource.instanceDetails.tags.value", + "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", + "data.aws.responseElements.description", + "data.aws.responseElements.instanceId", + "data.aws.responseElements.instances.instanceId", + "data.aws.responseElements.instancesSet.items.instanceId", + "data.aws.responseElements.listeners.port", + "data.aws.responseElements.loadBalancerName", + "data.aws.responseElements.loadBalancers.vpcId", + "data.aws.responseElements.loginProfile.userName", + "data.aws.responseElements.networkAcl.vpcId", + "data.aws.responseElements.ownerId", + "data.aws.responseElements.publicIp", + "data.aws.responseElements.user.userId", + "data.aws.responseElements.user.userName", + "data.aws.responseElements.volumeId", + "data.aws.service.serviceName", + "data.aws.severity", + "data.aws.source", + "data.aws.sourceIPAddress", + "data.aws.srcport", + "data.aws.userIdentity.accessKeyId", + "data.aws.userIdentity.accountId", + "data.aws.userIdentity.userName", + "data.aws.vpcEndpointId", + "data.command", + "data.data", + "data.docker.Actor.Attributes.container", + "data.docker.Actor.Attributes.image", + "data.docker.Actor.Attributes.name", + "data.docker.Actor.ID", + "data.docker.id", + "data.docker.message", + "data.docker.status", + "data.dstip", + "data.dstport", + "data.dstuser", + "data.extra_data", + "data.hardware.serial", + "data.id", + "data.integration", + "data.netinfo.iface.adapter", + "data.netinfo.iface.ipv4.address", + "data.netinfo.iface.ipv6.address", + "data.netinfo.iface.mac", + "data.netinfo.iface.name", + "data.os.architecture", + "data.os.build", + "data.os.codename", + "data.os.hostname", + "data.os.major", + "data.os.minor", + "data.os.name", + "data.os.platform", + "data.os.release", + "data.os.release_version", + "data.os.sysname", + "data.os.version", + "data.oscap.check.description", + "data.oscap.check.id", + "data.oscap.check.identifiers", + "data.oscap.check.oval.id", + "data.oscap.check.rationale", + "data.oscap.check.references", + "data.oscap.check.result", + "data.oscap.check.severity", + "data.oscap.check.title", + "data.oscap.scan.benchmark.id", + "data.oscap.scan.content", + "data.oscap.scan.id", + "data.oscap.scan.profile.id", + "data.oscap.scan.profile.title", + "data.osquery.columns.address", + "data.osquery.columns.command", + "data.osquery.columns.description", + "data.osquery.columns.dst_ip", + "data.osquery.columns.gid", + "data.osquery.columns.hostname", + "data.osquery.columns.md5", + "data.osquery.columns.path", + "data.osquery.columns.sha1", + "data.osquery.columns.sha256", + "data.osquery.columns.src_ip", + "data.osquery.columns.user", + "data.osquery.columns.username", + "data.osquery.name", + "data.osquery.pack", + "data.port.process", + "data.port.protocol", + "data.port.state", + "data.process.args", + "data.process.cmd", + "data.process.egroup", + "data.process.euser", + "data.process.fgroup", + "data.process.name", + "data.process.rgroup", + "data.process.ruser", + "data.process.sgroup", + "data.process.state", + "data.process.suser", + "data.program.architecture", + "data.program.description", + "data.program.format", + "data.program.location", + "data.program.multiarch", + "data.program.name", + "data.program.priority", + "data.program.section", + "data.program.source", + "data.program.vendor", + "data.program.version", + "data.protocol", + "data.pwd", + "data.sca", + "data.sca.check.compliance.cis", + "data.sca.check.compliance.cis_csc", + "data.sca.check.compliance.pci_dss", + "data.sca.check.compliance.hipaa", + "data.sca.check.compliance.nist_800_53", + "data.sca.check.description", + "data.sca.check.directory", + "data.sca.check.file", + "data.sca.check.id", + "data.sca.check.previous_result", + "data.sca.check.process", + "data.sca.check.rationale", + "data.sca.check.reason", + "data.sca.check.references", + "data.sca.check.registry", + "data.sca.check.remediation", + "data.sca.check.result", + "data.sca.check.status", + "data.sca.check.title", + "data.sca.description", + "data.sca.file", + "data.sca.invalid", + "data.sca.name", + "data.sca.policy", + "data.sca.policy_id", + "data.sca.scan_id", + "data.sca.total_checks", + "data.script", + "data.src_ip", + "data.src_port", + "data.srcip", + "data.srcport", + "data.srcuser", + "data.status", + "data.system_name", + "data.title", + "data.tty", + "data.uid", + "data.url", + "data.virustotal.description", + "data.virustotal.error", + "data.virustotal.found", + "data.virustotal.permalink", + "data.virustotal.scan_date", + "data.virustotal.sha1", + "data.virustotal.source.alert_id", + "data.virustotal.source.file", + "data.virustotal.source.md5", + "data.virustotal.source.sha1", + "data.vulnerability.cve", + "data.vulnerability.cvss.cvss2.base_score", + "data.vulnerability.cvss.cvss2.exploitability_score", + "data.vulnerability.cvss.cvss2.impact_score", + "data.vulnerability.cvss.cvss2.vector.access_complexity", + "data.vulnerability.cvss.cvss2.vector.attack_vector", + "data.vulnerability.cvss.cvss2.vector.authentication", + "data.vulnerability.cvss.cvss2.vector.availability", + "data.vulnerability.cvss.cvss2.vector.confidentiality_impact", + "data.vulnerability.cvss.cvss2.vector.integrity_impact", + "data.vulnerability.cvss.cvss2.vector.privileges_required", + "data.vulnerability.cvss.cvss2.vector.scope", + "data.vulnerability.cvss.cvss2.vector.user_interaction", + "data.vulnerability.cvss.cvss3.base_score", + "data.vulnerability.cvss.cvss3.exploitability_score", + "data.vulnerability.cvss.cvss3.impact_score", + "data.vulnerability.cvss.cvss3.vector.access_complexity", + "data.vulnerability.cvss.cvss3.vector.attack_vector", + "data.vulnerability.cvss.cvss3.vector.authentication", + "data.vulnerability.cvss.cvss3.vector.availability", + "data.vulnerability.cvss.cvss3.vector.confidentiality_impact", + "data.vulnerability.cvss.cvss3.vector.integrity_impact", + "data.vulnerability.cvss.cvss3.vector.privileges_required", + "data.vulnerability.cvss.cvss3.vector.scope", + "data.vulnerability.cvss.cvss3.vector.user_interaction", + "data.vulnerability.cwe_reference", + "data.vulnerability.package.source", + "data.vulnerability.package.architecture", + "data.vulnerability.package.condition", + "data.vulnerability.package.generated_cpe", + "data.vulnerability.package.name", + "data.vulnerability.package.version", + "data.vulnerability.rationale", + "data.vulnerability.severity", + "data.vulnerability.title", + "data.vulnerability.assigner", + "data.vulnerability.cve_version", + "data.win.eventdata.auditPolicyChanges", + "data.win.eventdata.auditPolicyChangesId", + "data.win.eventdata.binary", + "data.win.eventdata.category", + "data.win.eventdata.categoryId", + "data.win.eventdata.data", + "data.win.eventdata.image", + "data.win.eventdata.ipAddress", + "data.win.eventdata.ipPort", + "data.win.eventdata.keyName", + "data.win.eventdata.logonGuid", + "data.win.eventdata.logonProcessName", + "data.win.eventdata.operation", + "data.win.eventdata.parentImage", + "data.win.eventdata.processId", + "data.win.eventdata.processName", + "data.win.eventdata.providerName", + "data.win.eventdata.returnCode", + "data.win.eventdata.service", + "data.win.eventdata.status", + "data.win.eventdata.subcategory", + "data.win.eventdata.subcategoryGuid", + "data.win.eventdata.subcategoryId", + "data.win.eventdata.subjectDomainName", + "data.win.eventdata.subjectLogonId", + "data.win.eventdata.subjectUserName", + "data.win.eventdata.subjectUserSid", + "data.win.eventdata.targetDomainName", + "data.win.eventdata.targetLinkedLogonId", + "data.win.eventdata.targetLogonId", + "data.win.eventdata.targetUserName", + "data.win.eventdata.targetUserSid", + "data.win.eventdata.workstationName", + "data.win.system.channel", + "data.win.system.computer", + "data.win.system.eventID", + "data.win.system.eventRecordID", + "data.win.system.eventSourceName", + "data.win.system.keywords", + "data.win.system.level", + "data.win.system.message", + "data.win.system.opcode", + "data.win.system.processID", + "data.win.system.providerGuid", + "data.win.system.providerName", + "data.win.system.securityUserID", + "data.win.system.severityValue", + "data.win.system.userID", + "decoder.ftscomment", + "decoder.name", + "decoder.parent", + "full_log", + "host", + "id", + "input", + "location", + "manager.name", + "message", + "offset", + "predecoder.hostname", + "predecoder.program_name", + "previous_log", + "previous_output", + "program_name", + "rule.cis", + "rule.cve", + "rule.description", + "rule.gdpr", + "rule.gpg13", + "rule.groups", + "rule.id", + "rule.info", + "rule.mitre.id", + "rule.mitre.tactic", + "rule.mitre.technique", + "rule.pci_dss", + "rule.hipaa", + "rule.nist_800_53", + "syscheck.audit.effective_user.id", + "syscheck.audit.effective_user.name", + "syscheck.audit.group.id", + "syscheck.audit.group.name", + "syscheck.audit.login_user.id", + "syscheck.audit.login_user.name", + "syscheck.audit.process.id", + "syscheck.audit.process.name", + "syscheck.audit.process.ppid", + "syscheck.audit.user.id", + "syscheck.audit.user.name", + "syscheck.diff", + "syscheck.event", + "syscheck.gid_after", + "syscheck.gid_before", + "syscheck.gname_after", + "syscheck.gname_before", + "syscheck.inode_after", + "syscheck.inode_before", + "syscheck.md5_after", + "syscheck.md5_before", + "syscheck.path", + "syscheck.mode", + "syscheck.perm_after", + "syscheck.perm_before", + "syscheck.sha1_after", + "syscheck.sha1_before", + "syscheck.sha256_after", + "syscheck.sha256_before", + "syscheck.tags", + "syscheck.uid_after", + "syscheck.uid_before", + "syscheck.uname_after", + "syscheck.uname_before", + "title", + "type" + ] + }, + "number_of_replicas": "0" + } + }, + "mappings": { + "dynamic_templates": [ + { + "string_as_keyword": { + "match_mapping_type": "string", + "mapping": { + "type": "keyword" + } + } + } + ], + "date_detection": false, + "properties": { + "@timestamp": { + "type": "date" + }, + "@version": { + "type": "text" + }, + "GeoLocation": { + "properties": { + "area_code": { + "type": "long" + }, + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "text" + }, + "coordinates": { + "type": "double" + }, + "country_code2": { + "type": "text" + }, + "country_code3": { + "type": "text" + }, + "country_name": { + "type": "keyword" + }, + "dma_code": { + "type": "long" + }, + "ip": { + "type": "keyword" + }, + "latitude": { + "type": "double" + }, + "location": { + "type": "geo_point" + }, + "longitude": { + "type": "double" + }, + "postal_code": { + "type": "keyword" + }, + "real_region_name": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "text" + } + } + }, + "agent": { + "properties": { + "id": { + "type": "keyword" + }, + "ip": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "cluster": { + "properties": { + "name": { + "type": "keyword" + }, + "node": { + "type": "keyword" + } + } + }, + "command": { + "type": "keyword" + }, + "data": { + "properties": { + "action": { + "type": "keyword" + }, + "audit": { + "properties": { + "acct": { + "type": "keyword" + }, + "arch": { + "type": "keyword" + }, + "auid": { + "type": "keyword" + }, + "command": { + "type": "keyword" + }, + "cwd": { + "type": "keyword" + }, + "dev": { + "type": "keyword" + }, + "directory": { + "properties": { + "inode": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "egid": { + "type": "keyword" + }, + "enforcing": { + "type": "keyword" + }, + "euid": { + "type": "keyword" + }, + "exe": { + "type": "keyword" + }, + "execve": { + "properties": { + "a0": { + "type": "keyword" + }, + "a1": { + "type": "keyword" + }, + "a2": { + "type": "keyword" + }, + "a3": { + "type": "keyword" + } + } + }, + "exit": { + "type": "keyword" + }, + "file": { + "properties": { + "inode": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "fsgid": { + "type": "keyword" + }, + "fsuid": { + "type": "keyword" + }, + "gid": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "key": { + "type": "keyword" + }, + "list": { + "type": "keyword" + }, + "old-auid": { + "type": "keyword" + }, + "old-ses": { + "type": "keyword" + }, + "old_enforcing": { + "type": "keyword" + }, + "old_prom": { + "type": "keyword" + }, + "op": { + "type": "keyword" + }, + "pid": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + }, + "prom": { + "type": "keyword" + }, + "res": { + "type": "keyword" + }, + "session": { + "type": "keyword" + }, + "sgid": { + "type": "keyword" + }, + "srcip": { + "type": "keyword" + }, + "subj": { + "type": "keyword" + }, + "success": { + "type": "keyword" + }, + "suid": { + "type": "keyword" + }, + "syscall": { + "type": "keyword" + }, + "tty": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + } + } + }, + "aws": { + "properties": { + "accountId": { + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "createdAt": { + "type": "date" + }, + "dstaddr": { + "type": "ip" + }, + "end": { + "type": "date" + }, + "log_info": { + "properties": { + "s3bucket": { + "type": "keyword" + } + } + }, + "region": { + "type": "keyword" + }, + "resource": { + "properties": { + "instanceDetails": { + "properties": { + "launchTime": { + "type": "date" + }, + "networkInterfaces": { + "properties": { + "privateIpAddress": { + "type": "ip" + }, + "publicIp": { + "type": "ip" + } + } + } + } + } + } + }, + "service": { + "properties": { + "action": { + "properties": { + "networkConnectionAction": { + "properties": { + "remoteIpDetails": { + "properties": { + "geoLocation": { + "type": "geo_point" + }, + "ipAddressV4": { + "type": "ip" + } + } + } + } + } + } + }, + "count": { + "type": "long" + }, + "eventFirstSeen": { + "type": "date" + }, + "eventLastSeen": { + "type": "date" + } + } + }, + "source": { + "type": "keyword" + }, + "source_ip_address": { + "type": "ip" + }, + "srcaddr": { + "type": "ip" + }, + "start": { + "type": "date" + }, + "updatedAt": { + "type": "date" + } + } + }, + "cis": { + "properties": { + "benchmark": { + "type": "keyword" + }, + "error": { + "type": "long" + }, + "fail": { + "type": "long" + }, + "group": { + "type": "keyword" + }, + "notchecked": { + "type": "long" + }, + "pass": { + "type": "long" + }, + "result": { + "type": "keyword" + }, + "rule_title": { + "type": "keyword" + }, + "score": { + "type": "long" + }, + "timestamp": { + "type": "keyword" + }, + "unknown": { + "type": "long" + } + } + }, + "command": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "docker": { + "properties": { + "Action": { + "type": "keyword" + }, + "Actor": { + "properties": { + "Attributes": { + "properties": { + "image": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "Type": { + "type": "keyword" + } + } + }, + "dstip": { + "type": "keyword" + }, + "dstport": { + "type": "keyword" + }, + "dstuser": { + "type": "keyword" + }, + "extra_data": { + "type": "keyword" + }, + "gcp": { + "properties": { + "jsonPayload": { + "properties": { + "authAnswer": { + "type": "keyword" + }, + "queryName": { + "type": "keyword" + }, + "responseCode": { + "type": "keyword" + }, + "vmInstanceId": { + "type": "keyword" + }, + "vmInstanceName": { + "type": "keyword" + } + } + }, + "resource": { + "properties": { + "labels": { + "properties": { + "location": { + "type": "keyword" + }, + "project_id": { + "type": "keyword" + }, + "source_type": { + "type": "keyword" + } + } + }, + "type": { + "type": "keyword" + } + } + }, + "severity": { + "type": "keyword" + } + } + }, + "github": { + "properties": { + "action": { + "type": "keyword" + }, + "actor": { + "type": "keyword" + }, + "actor_location": { + "properties": { + "country_code": { + "type": "keyword" + } + } + }, + "org": { + "type": "keyword" + }, + "repo": { + "type": "keyword" + } + } + }, + "hardware": { + "properties": { + "cpu_cores": { + "type": "long" + }, + "cpu_mhz": { + "type": "double" + }, + "cpu_name": { + "type": "keyword" + }, + "ram_free": { + "type": "long" + }, + "ram_total": { + "type": "long" + }, + "ram_usage": { + "type": "long" + }, + "serial": { + "type": "keyword" + } + } + }, + "id": { + "type": "keyword" + }, + "integration": { + "type": "keyword" + }, + "netinfo": { + "properties": { + "iface": { + "properties": { + "adapter": { + "type": "keyword" + }, + "ipv4": { + "properties": { + "address": { + "type": "keyword" + }, + "broadcast": { + "type": "keyword" + }, + "dhcp": { + "type": "keyword" + }, + "gateway": { + "type": "keyword" + }, + "metric": { + "type": "long" + }, + "netmask": { + "type": "keyword" + } + } + }, + "ipv6": { + "properties": { + "address": { + "type": "keyword" + }, + "broadcast": { + "type": "keyword" + }, + "dhcp": { + "type": "keyword" + }, + "gateway": { + "type": "keyword" + }, + "metric": { + "type": "long" + }, + "netmask": { + "type": "keyword" + } + } + }, + "mac": { + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "type": "keyword" + }, + "rx_bytes": { + "type": "long" + }, + "rx_dropped": { + "type": "long" + }, + "rx_errors": { + "type": "long" + }, + "rx_packets": { + "type": "long" + }, + "state": { + "type": "keyword" + }, + "tx_bytes": { + "type": "long" + }, + "tx_dropped": { + "type": "long" + }, + "tx_errors": { + "type": "long" + }, + "tx_packets": { + "type": "long" + }, + "type": { + "type": "keyword" + } + } + } + } + }, + "office365": { + "properties": { + "Actor": { + "properties": { + "ID": { + "type": "keyword" + } + } + }, + "ClientIP": { + "type": "keyword" + }, + "Operation": { + "type": "keyword" + }, + "ResultStatus": { + "type": "keyword" + }, + "Subscription": { + "type": "keyword" + }, + "UserId": { + "type": "keyword" + } + } + }, + "os": { + "properties": { + "architecture": { + "type": "keyword" + }, + "build": { + "type": "keyword" + }, + "codename": { + "type": "keyword" + }, + "display_version": { + "type": "keyword" + }, + "hostname": { + "type": "keyword" + }, + "major": { + "type": "keyword" + }, + "minor": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "patch": { + "type": "keyword" + }, + "platform": { + "type": "keyword" + }, + "release": { + "type": "keyword" + }, + "release_version": { + "type": "keyword" + }, + "sysname": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "oscap": { + "properties": { + "check": { + "properties": { + "description": { + "type": "text" + }, + "id": { + "type": "keyword" + }, + "identifiers": { + "type": "text" + }, + "oval": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "rationale": { + "type": "text" + }, + "references": { + "type": "text" + }, + "result": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "scan": { + "properties": { + "benchmark": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "content": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "profile": { + "properties": { + "id": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "return_code": { + "type": "long" + }, + "score": { + "type": "double" + } + } + } + } + }, + "osquery": { + "properties": { + "action": { + "type": "keyword" + }, + "calendarTime": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "pack": { + "type": "keyword" + } + } + }, + "port": { + "properties": { + "inode": { + "type": "long" + }, + "local_ip": { + "type": "ip" + }, + "local_port": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "process": { + "type": "keyword" + }, + "protocol": { + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "remote_port": { + "type": "long" + }, + "rx_queue": { + "type": "long" + }, + "state": { + "type": "keyword" + }, + "tx_queue": { + "type": "long" + } + } + }, + "process": { + "properties": { + "args": { + "type": "keyword" + }, + "cmd": { + "type": "keyword" + }, + "egroup": { + "type": "keyword" + }, + "euser": { + "type": "keyword" + }, + "fgroup": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "nice": { + "type": "long" + }, + "nlwp": { + "type": "long" + }, + "pgrp": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "priority": { + "type": "long" + }, + "processor": { + "type": "long" + }, + "resident": { + "type": "long" + }, + "rgroup": { + "type": "keyword" + }, + "ruser": { + "type": "keyword" + }, + "session": { + "type": "long" + }, + "sgroup": { + "type": "keyword" + }, + "share": { + "type": "long" + }, + "size": { + "type": "long" + }, + "start_time": { + "type": "long" + }, + "state": { + "type": "keyword" + }, + "stime": { + "type": "long" + }, + "suser": { + "type": "keyword" + }, + "tgid": { + "type": "long" + }, + "tty": { + "type": "long" + }, + "utime": { + "type": "long" + }, + "vm_size": { + "type": "long" + } + } + }, + "program": { + "properties": { + "architecture": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "format": { + "type": "keyword" + }, + "install_time": { + "type": "keyword" + }, + "location": { + "type": "keyword" + }, + "multiarch": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "priority": { + "type": "keyword" + }, + "section": { + "type": "keyword" + }, + "size": { + "type": "long" + }, + "source": { + "type": "keyword" + }, + "vendor": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "protocol": { + "type": "keyword" + }, + "sca": { + "properties": { + "check": { + "properties": { + "compliance": { + "properties": { + "cis": { + "type": "keyword" + }, + "cis_csc": { + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "nist_800_53": { + "type": "keyword" + }, + "pci_dss": { + "type": "keyword" + } + } + }, + "description": { + "type": "keyword" + }, + "directory": { + "type": "keyword" + }, + "file": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "previous_result": { + "type": "keyword" + }, + "process": { + "type": "keyword" + }, + "rationale": { + "type": "keyword" + }, + "reason": { + "type": "keyword" + }, + "references": { + "type": "keyword" + }, + "registry": { + "type": "keyword" + }, + "remediation": { + "type": "keyword" + }, + "result": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "description": { + "type": "keyword" + }, + "failed": { + "type": "integer" + }, + "file": { + "type": "keyword" + }, + "invalid": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "passed": { + "type": "integer" + }, + "policy": { + "type": "keyword" + }, + "policy_id": { + "type": "keyword" + }, + "scan_id": { + "type": "keyword" + }, + "score": { + "type": "long" + }, + "total_checks": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "srcip": { + "type": "keyword" + }, + "srcport": { + "type": "keyword" + }, + "srcuser": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "system_name": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "title": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + }, + "url": { + "type": "keyword" + }, + "virustotal": { + "properties": { + "description": { + "type": "keyword" + }, + "error": { + "type": "keyword" + }, + "found": { + "type": "keyword" + }, + "malicious": { + "type": "keyword" + }, + "permalink": { + "type": "keyword" + }, + "positives": { + "type": "keyword" + }, + "scan_date": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "source": { + "properties": { + "alert_id": { + "type": "keyword" + }, + "file": { + "type": "keyword" + }, + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + } + } + }, + "total": { + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "assigner": { + "type": "keyword" + }, + "cve": { + "type": "keyword" + }, + "cve_version": { + "type": "keyword" + }, + "cvss": { + "properties": { + "cvss2": { + "properties": { + "base_score": { + "type": "keyword" + }, + "exploitability_score": { + "type": "keyword" + }, + "impact_score": { + "type": "keyword" + }, + "vector": { + "properties": { + "access_complexity": { + "type": "keyword" + }, + "attack_vector": { + "type": "keyword" + }, + "authentication": { + "type": "keyword" + }, + "availability": { + "type": "keyword" + }, + "confidentiality_impact": { + "type": "keyword" + }, + "integrity_impact": { + "type": "keyword" + }, + "privileges_required": { + "type": "keyword" + }, + "scope": { + "type": "keyword" + }, + "user_interaction": { + "type": "keyword" + } + } + } + } + }, + "cvss3": { + "properties": { + "base_score": { + "type": "keyword" + }, + "exploitability_score": { + "type": "keyword" + }, + "impact_score": { + "type": "keyword" + }, + "vector": { + "properties": { + "access_complexity": { + "type": "keyword" + }, + "attack_vector": { + "type": "keyword" + }, + "authentication": { + "type": "keyword" + }, + "availability": { + "type": "keyword" + }, + "confidentiality_impact": { + "type": "keyword" + }, + "integrity_impact": { + "type": "keyword" + }, + "privileges_required": { + "type": "keyword" + }, + "scope": { + "type": "keyword" + }, + "user_interaction": { + "type": "keyword" + } + } + } + } + } + } + }, + "cwe_reference": { + "type": "keyword" + }, + "package": { + "properties": { + "architecture": { + "type": "keyword" + }, + "condition": { + "type": "keyword" + }, + "generated_cpe": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "source": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "published": { + "type": "date" + }, + "rationale": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "title": { + "type": "keyword" + }, + "updated": { + "type": "date" + } + } + } + } + }, + "decoder": { + "properties": { + "accumulate": { + "type": "long" + }, + "fts": { + "type": "long" + }, + "ftscomment": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "parent": { + "type": "keyword" + } + } + }, + "full_log": { + "type": "text" + }, + "host": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "input": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "location": { + "type": "keyword" + }, + "manager": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "message": { + "type": "text" + }, + "offset": { + "type": "keyword" + }, + "predecoder": { + "properties": { + "hostname": { + "type": "keyword" + }, + "program_name": { + "type": "keyword" + }, + "timestamp": { + "type": "keyword" + } + } + }, + "previous_log": { + "type": "text" + }, + "previous_output": { + "type": "keyword" + }, + "program_name": { + "type": "keyword" + }, + "rule": { + "properties": { + "cis": { + "type": "keyword" + }, + "cve": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "firedtimes": { + "type": "long" + }, + "frequency": { + "type": "long" + }, + "gdpr": { + "type": "keyword" + }, + "gpg13": { + "type": "keyword" + }, + "groups": { + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "info": { + "type": "keyword" + }, + "level": { + "type": "long" + }, + "mail": { + "type": "boolean" + }, + "mitre": { + "properties": { + "id": { + "type": "keyword" + }, + "tactic": { + "type": "keyword" + }, + "technique": { + "type": "keyword" + } + } + }, + "nist_800_53": { + "type": "keyword" + }, + "pci_dss": { + "type": "keyword" + }, + "tsc": { + "type": "keyword" + } + } + }, + "syscheck": { + "properties": { + "audit": { + "properties": { + "effective_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "group": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "login_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "process": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + } + } + }, + "user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "diff": { + "type": "keyword" + }, + "event": { + "type": "keyword" + }, + "gid_after": { + "type": "keyword" + }, + "gid_before": { + "type": "keyword" + }, + "gname_after": { + "type": "keyword" + }, + "gname_before": { + "type": "keyword" + }, + "hard_links": { + "type": "keyword" + }, + "inode_after": { + "type": "keyword" + }, + "inode_before": { + "type": "keyword" + }, + "md5_after": { + "type": "keyword" + }, + "md5_before": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "mtime_after": { + "type": "date", + "format": "date_optional_time" + }, + "mtime_before": { + "type": "date", + "format": "date_optional_time" + }, + "path": { + "type": "keyword" + }, + "perm_after": { + "type": "keyword" + }, + "perm_before": { + "type": "keyword" + }, + "sha1_after": { + "type": "keyword" + }, + "sha1_before": { + "type": "keyword" + }, + "sha256_after": { + "type": "keyword" + }, + "sha256_before": { + "type": "keyword" + }, + "size_after": { + "type": "long" + }, + "size_before": { + "type": "long" + }, + "tags": { + "type": "keyword" + }, + "uid_after": { + "type": "keyword" + }, + "uid_before": { + "type": "keyword" + }, + "uname_after": { + "type": "keyword" + }, + "uname_before": { + "type": "keyword" + } + } + }, + "timestamp": { + "type": "date", + "format": "date_optional_time||epoch_millis" + }, + "title": { + "type": "keyword" + }, + "type": { + "type": "text" + } + } + }, + "aliases": {} + }, + "version": 1 +} diff --git a/integrations/elastic/logstash/pipeline/indexer-to-elastic.conf b/integrations/elastic/logstash/pipeline/indexer-to-elastic.conf new file mode 100644 index 0000000000000..d9e734cae6992 --- /dev/null +++ b/integrations/elastic/logstash/pipeline/indexer-to-elastic.conf @@ -0,0 +1,35 @@ +input { + opensearch { + hosts => ["wazuh.indexer:9200"] + user => "${INDEXER_USERNAME}" + password => "${INDEXER_PASSWORD}" + ssl => true + ca_file => "/usr/share/logstash/root-ca.pem" + index => "wazuh-alerts-4.x-*" + query => '{ + "query": { + "range": { + "@timestamp": { + "gt": "now-1m" + } + } + } + }' + schedule => "* * * * *" + } +} + + +output { + elasticsearch { + hosts => "es01" + index => "wazuh-alerts-4.x-%{+YYYY.MM.dd}" + user => "elastic" + password => "elastic" + ssl => true + cacert => '/etc/certs/elastic/ca/ca.crt' + template => '/usr/share/logstash/pipeline/es_template.json' + template_name => 'wazuh' + template_overwrite => true + } +} diff --git a/integrations/elastic/logstash/setup.sh b/integrations/elastic/logstash/setup.sh new file mode 100644 index 0000000000000..4852d27efd5e1 --- /dev/null +++ b/integrations/elastic/logstash/setup.sh @@ -0,0 +1,10 @@ +#!/usr/bin/bash + +# This script creates and configures a keystore for Logstash to store +# indexer's credentials. NOTE: works only for dockerized logstash. +# Source: https://www.elastic.co/guide/en/logstash/current/keystore.html + +# Create keystore +/usr/share/logstash/bin/logstash-keystore create +echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME +echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD diff --git a/integrations/logstash/Dockerfile b/integrations/logstash/Dockerfile new file mode 100644 index 0000000000000..0c487bc7b2ca1 --- /dev/null +++ b/integrations/logstash/Dockerfile @@ -0,0 +1,19 @@ +ARG LOGSTASH_OSS_VERSION +FROM opensearchproject/logstash-oss-with-opensearch-output-plugin:${LOGSTASH_OSS_VERSION} + +ENV LOGSTASH_KEYSTORE_PASS "SecretPassword" +ENV LS_PATH "/usr/share/logstash" +USER logstash + +# https://github.com/elastic/logstash/issues/6600 +# Install plugin +RUN LS_JAVA_OPTS="-Xms1024m -Xmx1024m" logstash-plugin install logstash-input-opensearch + +# Copy and run the setup.sh script to create and configure a keystore for Logstash. +COPY --chown=logstash:logstash ./setup.sh /usr/share/logstash/bin/setup.sh +RUN bash /usr/share/logstash/bin/setup.sh + +# Disable ECS compatibility +RUN `echo "pipeline.ecs_compatibility: disabled" >> /usr/share/logstash/config/logstash.yml` + +WORKDIR /usr/share/logstash diff --git a/integrations/logstash/setup.sh b/integrations/logstash/setup.sh new file mode 100644 index 0000000000000..4852d27efd5e1 --- /dev/null +++ b/integrations/logstash/setup.sh @@ -0,0 +1,10 @@ +#!/usr/bin/bash + +# This script creates and configures a keystore for Logstash to store +# indexer's credentials. NOTE: works only for dockerized logstash. +# Source: https://www.elastic.co/guide/en/logstash/current/keystore.html + +# Create keystore +/usr/share/logstash/bin/logstash-keystore create +echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME +echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD diff --git a/integrations/opensearch/README.md b/integrations/opensearch/README.md new file mode 100644 index 0000000000000..6c55e62653b48 --- /dev/null +++ b/integrations/opensearch/README.md @@ -0,0 +1,57 @@ +# Wazuh to OpenSearch Integration Developer Guide + +This document describes how to prepare a Docker Compose environment to test the integration between Wazuh and the OpenSearch Stack. For a detailed guide on how to integrate Wazuh with OpenSearch Stack, please refer to the [Wazuh documentation](https://documentation.wazuh.com/current/integrations-guide/OpenSearch-stack/index.html). + +## Requirements + +- Docker and Docker Compose installed. + +## Usage + +1. Clone the Wazuh repository and navigate to the `integrations/` folder. +2. Run the following command to start the environment: + ```bash + docker compose -f ./docker/compose.indexer-opensearch.yml up -d + ``` +3. If you prefer, you can start the integration with the Wazuh Manager as data source: + ```bash + docker compose -f ./docker/compose.manager-opensearch.yml up -d + ``` + +The Docker Compose project will bring up the following services: + +- 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)). +- 1x Wazuh Indexer (OpenSearch). +- 1x Logstash +- 1x OpenSearch +- 1x OpenSearch Dashboards +- 1x Wazuh Manager (optional). + +For custom configurations, you may need to modify these files: + +- [docker/compose.indexer-opensearch.yml](../docker/compose.indexer-opensearch.yml): Docker Compose file. +- [docker/.env](../docker/.env): Environment variables file. +- [opensearch/logstash/pipeline/indexer-to-opensearch.conf](./logstash/pipeline/indexer-to-opensearch.conf): Logstash Pipeline configuration file. + +If you opted to start the integration with the Wazuh Manager, you can modify the following files: + +- [docker/compose.manager-opensearch.yml](../docker/compose.manager-opensearch.yml): Docker Compose file. +- [opensearch/logstash/pipeline/manager-to-opensearch.conf](./logstash/pipeline/manager-to-opensearch.conf): Logstash Pipeline configuration file. + +Check the files above for **credentials**, ports, and other configurations. + +| Service | Address | Credentials | +| --------------------- | ---------------------- | ----------- | +| Wazuh Indexer | https://localhost:9200 | admin:admin | +| OpenSearch | https://localhost:9201 | admin:admin | +| OpenSearch Dashboards | https://localhost:5602 | admin:admin | + +## Importing the dashboards + +The dashboards for OpenSearch are included in [dashboards.ndjson](./dashboards.ndjson). The steps to import them to OpenSearch are the following: + +- On OpenSearch Dashboards, expand the left menu, and go to `Dashboards Management`. +- Click on `Saved Objects`, select `Import`, click on the `Import` icon and browse the dashboard file. +- Click on Import and complete the process. + +Imported dashboards will appear in the `Dashboards` app on the left menu. diff --git a/integrations/opensearch/dashboards.ndjson b/integrations/opensearch/dashboards.ndjson new file mode 100644 index 0000000000000..678866f75dfa9 --- /dev/null +++ b/integrations/opensearch/dashboards.ndjson @@ -0,0 +1,38 @@ +{"attributes":{"fields":"[{\"count\":0,\"name\":\"@sampledata\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"count\":0,\"name\":\"GeoLocation.city_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"GeoLocation.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"GeoLocation.city_name\"}}},{\"count\":0,\"name\":\"GeoLocation.country_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"GeoLocation.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"GeoLocation.country_name\"}}},{\"count\":0,\"name\":\"GeoLocation.location.lat\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"GeoLocation.location.lon\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"GeoLocation.region_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"GeoLocation.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"GeoLocation.region_name\"}}},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"count\":0,\"name\":\"agent.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ip\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ip\"}}},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"count\":0,\"name\":\"cluster.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"cluster.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"cluster.name\"}}},{\"count\":0,\"name\":\"cluster.node\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"cluster.node\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"cluster.node\"}}},{\"count\":0,\"name\":\"data.audit.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.command\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.command\"}}},{\"count\":0,\"name\":\"data.audit.cwd\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.cwd\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.cwd\"}}},{\"count\":0,\"name\":\"data.audit.exe\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.exe\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.exe\"}}},{\"count\":0,\"name\":\"data.audit.file.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.file.name\"}}},{\"count\":0,\"name\":\"data.audit.success\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.success\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.success\"}}},{\"count\":0,\"name\":\"data.audit.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.type\"}}},{\"count\":0,\"name\":\"data.aws.accountId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.accountId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.accountId\"}}},{\"count\":0,\"name\":\"data.aws.actor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.actor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.actor\"}}},{\"count\":0,\"name\":\"data.aws.alert-arn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.alert-arn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.alert-arn\"}}},{\"count\":0,\"name\":\"data.aws.arn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.arn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.arn\"}}},{\"count\":0,\"name\":\"data.aws.created-at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.createdAt\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.description\"}}},{\"count\":0,\"name\":\"data.aws.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.id\"}}},{\"count\":0,\"name\":\"data.aws.log_info.log_file\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.log_info.log_file\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.log_info.log_file\"}}},{\"count\":0,\"name\":\"data.aws.log_info.s3bucket\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.log_info.s3bucket\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.log_info.s3bucket\"}}},{\"count\":0,\"name\":\"data.aws.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.name\"}}},{\"count\":0,\"name\":\"data.aws.notification-type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.notification-type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.notification-type\"}}},{\"count\":0,\"name\":\"data.aws.partition\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.partition\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.partition\"}}},{\"count\":0,\"name\":\"data.aws.region\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.region\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.region\"}}},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.principalId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.principalId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.accessKeyDetails.principalId\"}}},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.userName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.userName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.accessKeyDetails.userName\"}}},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.userType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.userType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.accessKeyDetails.userType\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.availabilityZone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.availabilityZone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.availabilityZone\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.iamInstanceProfile.arn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.iamInstanceProfile.arn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.iamInstanceProfile.arn\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.iamInstanceProfile.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.iamInstanceProfile.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.iamInstanceProfile.id\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.imageDescription\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.imageDescription\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.imageDescription\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.imageId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.imageId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.imageId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.instanceId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceState\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceState\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.instanceState\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.instanceType\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.launchTime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.networkInterfaceId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.networkInterfaceId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.networkInterfaceId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.privateDnsName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.privateDnsName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.privateDnsName\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.privateIpAddress\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.privateIpAddress\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.privateIpAddress\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.publicDnsName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.publicDnsName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.publicDnsName\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.publicIp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.publicIp\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.publicIp\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.subnetId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.subnetId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.subnetId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.vpcId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.vpcId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.vpcId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.productCodes.productCodeId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.productCodes.productCodeId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.productCodes.productCodeId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.productCodes.productCodeType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.productCodes.productCodeType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.productCodes.productCodeType\"}}},{\"count\":0,\"name\":\"data.aws.resource.resourceType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.resourceType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.resourceType\"}}},{\"count\":0,\"name\":\"data.aws.risk-score\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.risk-score\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.risk-score\"}}},{\"count\":0,\"name\":\"data.aws.schemaVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.schemaVersion\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.schemaVersion\"}}},{\"count\":0,\"name\":\"data.aws.service.action.actionType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.actionType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.actionType\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.api\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.api\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.callerType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.callerType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.callerType\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.city.cityName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.country.countryName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lat\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lon\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asn\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.isp\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.org\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.serviceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.serviceName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.serviceName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.blocked\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.blocked\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.blocked\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.connectionDirection\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.connectionDirection\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.connectionDirection\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.localIpDetails.ipAddressV4\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localPortDetails.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localPortDetails.port\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.localPortDetails.port\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localPortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localPortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.localPortDetails.portName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.protocol\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.city.cityName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.country.countryName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lat\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lon\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asn\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.isp\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.org\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.port\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.port\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.portName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.blocked\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.blocked\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.blocked\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.port\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.port\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.portName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.city.cityName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lat\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lon\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asn\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asnOrg\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.isp\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.org\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.inBytes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.inBytes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.inBytes\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.localPort\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.localPort\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.localPort\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.outBytes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.outBytes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.outBytes\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.recentApiCalls.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.recentApiCalls.api\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.recentApiCalls.api\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.recentApiCalls.count\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.recentApiCalls.count\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.recentApiCalls.count\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.threatListName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.threatListName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.threatListName\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.threatName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.threatName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.threatName\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.unusual\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.unusual\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.unusual\"}}},{\"count\":0,\"name\":\"data.aws.service.archived\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.archived\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.archived\"}}},{\"count\":0,\"name\":\"data.aws.service.count\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.count\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.count\"}}},{\"count\":0,\"name\":\"data.aws.service.detectorId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.detectorId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.detectorId\"}}},{\"count\":0,\"name\":\"data.aws.service.eventFirstSeen\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.service.eventLastSeen\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.service.resourceRole\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.resourceRole\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.resourceRole\"}}},{\"count\":0,\"name\":\"data.aws.service.serviceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.serviceName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.serviceName\"}}},{\"count\":0,\"name\":\"data.aws.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.severity\"}}},{\"count\":0,\"name\":\"data.aws.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.source\"}}},{\"count\":0,\"name\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.DisplayName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.DisplayName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.DisplayName\"}}},{\"count\":0,\"name\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.ID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.ID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.ID\"}}},{\"count\":0,\"name\":\"data.aws.summary.Bucket\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.Bucket\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.Bucket\"}}},{\"count\":0,\"name\":\"data.aws.summary.Description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.Description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.Description\"}}},{\"count\":0,\"name\":\"data.aws.summary.Event Count\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.Event Count\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.Event Count\"}}},{\"count\":0,\"name\":\"data.aws.summary.Record Count\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.Record Count\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.Record Count\"}}},{\"count\":0,\"name\":\"data.aws.summary.Timestamps\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.summary.recipientAccountId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.recipientAccountId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.recipientAccountId\"}}},{\"count\":0,\"name\":\"data.aws.tags.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.tags.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.tags.value\"}}},{\"count\":0,\"name\":\"data.aws.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.title\"}}},{\"count\":0,\"name\":\"data.aws.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.type\"}}},{\"count\":0,\"name\":\"data.aws.updatedAt\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.url\"}}},{\"count\":0,\"name\":\"data.docker.Action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Action\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.container\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.container\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.container\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.execID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.execID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.execID\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.exitCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.exitCode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.exitCode\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.image\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.image\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.image\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.license\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.license\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.maintainer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.maintainer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.maintainer\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.name\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.build-date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.build-date\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.build-date\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.license\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.license\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.name\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.schema-version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.schema-version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.schema-version\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.url\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.vcs-url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.vcs-url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.vcs-url\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.vendor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.vendor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.vendor\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.version\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.signal\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.signal\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.signal\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.type\"}}},{\"count\":0,\"name\":\"data.docker.Actor.ID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.ID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.ID\"}}},{\"count\":0,\"name\":\"data.docker.Type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Type\"}}},{\"count\":0,\"name\":\"data.docker.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.from\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.from\"}}},{\"count\":0,\"name\":\"data.docker.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.id\"}}},{\"count\":0,\"name\":\"data.docker.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.level\"}}},{\"count\":0,\"name\":\"data.docker.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.message\"}}},{\"count\":0,\"name\":\"data.docker.scope\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.scope\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.scope\"}}},{\"count\":0,\"name\":\"data.docker.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.status\"}}},{\"count\":0,\"name\":\"data.docker.time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.time\"}}},{\"count\":0,\"name\":\"data.docker.timeNano\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.timeNano\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.timeNano\"}}},{\"count\":0,\"name\":\"data.dstuser\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.dstuser\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.dstuser\"}}},{\"count\":0,\"name\":\"data.euid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.euid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.euid\"}}},{\"count\":0,\"name\":\"data.extra_data\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.extra_data\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.extra_data\"}}},{\"count\":0,\"name\":\"data.file\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.file\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.file\"}}},{\"count\":0,\"name\":\"data.gcp.insertId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.insertId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.insertId\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.authAnswer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.authAnswer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.authAnswer\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.protocol\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.queryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.queryName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.queryName\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.queryType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.queryType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.queryType\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.responseCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.responseCode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.responseCode\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.sourceIP\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.sourceIP\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.sourceIP\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.vmInstanceId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.vmInstanceId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.vmInstanceId\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.vmInstanceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.vmInstanceName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.vmInstanceName\"}}},{\"count\":0,\"name\":\"data.gcp.logName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.logName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.logName\"}}},{\"count\":0,\"name\":\"data.gcp.receiveTimestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.gcp.resource.labels.location\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.resource.labels.location\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.resource.labels.location\"}}},{\"count\":0,\"name\":\"data.gcp.resource.labels.project_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.resource.labels.project_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.resource.labels.project_id\"}}},{\"count\":0,\"name\":\"data.gcp.resource.labels.source_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.resource.labels.source_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.resource.labels.source_type\"}}},{\"count\":0,\"name\":\"data.gcp.resource.labels.target_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.resource.labels.target_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.resource.labels.target_type\"}}},{\"count\":0,\"name\":\"data.gcp.resource.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.resource.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.resource.type\"}}},{\"count\":0,\"name\":\"data.gcp.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.severity\"}}},{\"count\":0,\"name\":\"data.gcp.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.github.@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.github._document_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github._document_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github._document_id\"}}},{\"count\":0,\"name\":\"data.github.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.action\"}}},{\"count\":0,\"name\":\"data.github.active\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.active\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.active\"}}},{\"count\":0,\"name\":\"data.github.actor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.actor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.actor\"}}},{\"count\":0,\"name\":\"data.github.actor_location.country_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.actor_location.country_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.actor_location.country_code\"}}},{\"count\":0,\"name\":\"data.github.config.content_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.config.content_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.config.content_type\"}}},{\"count\":0,\"name\":\"data.github.config.insecure_ssl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.config.insecure_ssl\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.config.insecure_ssl\"}}},{\"count\":0,\"name\":\"data.github.config.secret\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.config.secret\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.config.secret\"}}},{\"count\":0,\"name\":\"data.github.config.url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.config.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.config.url\"}}},{\"count\":0,\"name\":\"data.github.created_at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.github.events\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.events\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.events\"}}},{\"count\":0,\"name\":\"data.github.events_were\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.events_were\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.events_were\"}}},{\"count\":0,\"name\":\"data.github.hook_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.hook_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.hook_id\"}}},{\"count\":0,\"name\":\"data.github.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.name\"}}},{\"count\":0,\"name\":\"data.github.org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.org\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.org\"}}},{\"count\":0,\"name\":\"data.github.repo\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.repo\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.repo\"}}},{\"count\":0,\"name\":\"data.github.repository\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.repository\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.repository\"}}},{\"count\":0,\"name\":\"data.github.repository_public\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.repository_public\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.repository_public\"}}},{\"count\":0,\"name\":\"data.github.team\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.team\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.team\"}}},{\"count\":0,\"name\":\"data.github.transport_protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.transport_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.transport_protocol\"}}},{\"count\":0,\"name\":\"data.github.transport_protocol_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.transport_protocol_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.transport_protocol_name\"}}},{\"count\":0,\"name\":\"data.github.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.user\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.user\"}}},{\"count\":0,\"name\":\"data.github.visibility\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.visibility\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.visibility\"}}},{\"count\":0,\"name\":\"data.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.id\"}}},{\"count\":0,\"name\":\"data.integration\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.integration\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.integration\"}}},{\"count\":0,\"name\":\"data.office365.AadAppId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.AadAppId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.AadAppId\"}}},{\"count\":0,\"name\":\"data.office365.Actor.ID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Actor.ID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Actor.ID\"}}},{\"count\":0,\"name\":\"data.office365.Actor.Type\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.ActorContextId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ActorContextId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ActorContextId\"}}},{\"count\":0,\"name\":\"data.office365.ActorIpAddress\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ActorIpAddress\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ActorIpAddress\"}}},{\"count\":0,\"name\":\"data.office365.ApplicationId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ApplicationId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ApplicationId\"}}},{\"count\":0,\"name\":\"data.office365.AzureActiveDirectoryEventType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.ClientApplication\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ClientApplication\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ClientApplication\"}}},{\"count\":0,\"name\":\"data.office365.ClientIP\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ClientIP\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ClientIP\"}}},{\"count\":0,\"name\":\"data.office365.ClientIPAddress\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ClientIPAddress\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ClientIPAddress\"}}},{\"count\":0,\"name\":\"data.office365.ClientInfoString\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ClientInfoString\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ClientInfoString\"}}},{\"count\":0,\"name\":\"data.office365.CmdletVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.CmdletVersion\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.CmdletVersion\"}}},{\"count\":0,\"name\":\"data.office365.CorrelationId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.CorrelationId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.CorrelationId\"}}},{\"count\":0,\"name\":\"data.office365.CreationTime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.CustomUniqueId\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.CustomizedDoclib\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.DataType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DataType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DataType\"}}},{\"count\":0,\"name\":\"data.office365.DatabaseType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DatabaseType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DatabaseType\"}}},{\"count\":0,\"name\":\"data.office365.DestinationFileExtension\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DestinationFileExtension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DestinationFileExtension\"}}},{\"count\":0,\"name\":\"data.office365.DestinationFileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DestinationFileName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DestinationFileName\"}}},{\"count\":0,\"name\":\"data.office365.DestinationRelativeUrl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DestinationRelativeUrl\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DestinationRelativeUrl\"}}},{\"count\":0,\"name\":\"data.office365.DeviceProperties.Name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DeviceProperties.Name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DeviceProperties.Name\"}}},{\"count\":0,\"name\":\"data.office365.DeviceProperties.Value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DeviceProperties.Value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DeviceProperties.Value\"}}},{\"count\":0,\"name\":\"data.office365.DoNotDistributeEvent\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.EffectiveOrganization\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.EffectiveOrganization\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.EffectiveOrganization\"}}},{\"count\":0,\"name\":\"data.office365.ErrorNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ErrorNumber\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ErrorNumber\"}}},{\"count\":0,\"name\":\"data.office365.EventData\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.EventData\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.EventData\"}}},{\"count\":0,\"name\":\"data.office365.EventSource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.EventSource\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.EventSource\"}}},{\"count\":0,\"name\":\"data.office365.ExtendedProperties.Name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ExtendedProperties.Name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ExtendedProperties.Name\"}}},{\"count\":0,\"name\":\"data.office365.ExtendedProperties.Value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ExtendedProperties.Value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ExtendedProperties.Value\"}}},{\"count\":0,\"name\":\"data.office365.ExternalAccess\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.FromApp\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.HighPriorityMediaProcessing\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Id\"}}},{\"count\":0,\"name\":\"data.office365.InterSystemsId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.InterSystemsId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.InterSystemsId\"}}},{\"count\":0,\"name\":\"data.office365.InternalLogonType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.IntraSystemId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.IntraSystemId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.IntraSystemId\"}}},{\"count\":0,\"name\":\"data.office365.IsDocLib\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Item.Attachments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.Attachments\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.Attachments\"}}},{\"count\":0,\"name\":\"data.office365.Item.Id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.Id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.Id\"}}},{\"count\":0,\"name\":\"data.office365.Item.InternetMessageId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.InternetMessageId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.InternetMessageId\"}}},{\"count\":0,\"name\":\"data.office365.Item.IsRecord\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.Id\"}}},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberRights\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberRights\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.MemberRights\"}}},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberSid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.MemberSid\"}}},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberUpn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberUpn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.MemberUpn\"}}},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.Name\"}}},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.Path\"}}},{\"count\":0,\"name\":\"data.office365.Item.Subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.Subject\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.Subject\"}}},{\"count\":0,\"name\":\"data.office365.ItemCount\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.ItemType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ItemType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ItemType\"}}},{\"count\":0,\"name\":\"data.office365.ListBaseTemplateType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListBaseTemplateType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListBaseTemplateType\"}}},{\"count\":0,\"name\":\"data.office365.ListBaseType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListBaseType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListBaseType\"}}},{\"count\":0,\"name\":\"data.office365.ListColor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListColor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListColor\"}}},{\"count\":0,\"name\":\"data.office365.ListIcon\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListIcon\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListIcon\"}}},{\"count\":0,\"name\":\"data.office365.ListId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListId\"}}},{\"count\":0,\"name\":\"data.office365.ListItemUniqueId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListItemUniqueId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListItemUniqueId\"}}},{\"count\":0,\"name\":\"data.office365.ListTitle\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListTitle\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListTitle\"}}},{\"count\":0,\"name\":\"data.office365.LogonType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.LogonUserSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.LogonUserSid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.LogonUserSid\"}}},{\"count\":0,\"name\":\"data.office365.MailboxGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.MailboxGuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.MailboxGuid\"}}},{\"count\":0,\"name\":\"data.office365.MailboxOwnerMasterAccountSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.MailboxOwnerMasterAccountSid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.MailboxOwnerMasterAccountSid\"}}},{\"count\":0,\"name\":\"data.office365.MailboxOwnerSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.MailboxOwnerSid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.MailboxOwnerSid\"}}},{\"count\":0,\"name\":\"data.office365.MailboxOwnerUPN\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.MailboxOwnerUPN\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.MailboxOwnerUPN\"}}},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.Name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.Name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ModifiedProperties.Name\"}}},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.NewValue\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.NewValue\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ModifiedProperties.NewValue\"}}},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.OldValue\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.OldValue\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ModifiedProperties.OldValue\"}}},{\"count\":0,\"name\":\"data.office365.NonPIIParameters\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.NonPIIParameters\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.NonPIIParameters\"}}},{\"count\":0,\"name\":\"data.office365.ObjectId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ObjectId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ObjectId\"}}},{\"count\":0,\"name\":\"data.office365.Operation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Operation\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Operation\"}}},{\"count\":0,\"name\":\"data.office365.OrganizationId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.OrganizationId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.OrganizationId\"}}},{\"count\":0,\"name\":\"data.office365.OrganizationName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.OrganizationName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.OrganizationName\"}}},{\"count\":0,\"name\":\"data.office365.OriginatingServer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.OriginatingServer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.OriginatingServer\"}}},{\"count\":0,\"name\":\"data.office365.Parameters\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Parameters\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Parameters\"}}},{\"count\":0,\"name\":\"data.office365.RecordType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.RelativeUrl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.RelativeUrl\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.RelativeUrl\"}}},{\"count\":0,\"name\":\"data.office365.ResultCount\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ResultCount\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ResultCount\"}}},{\"count\":0,\"name\":\"data.office365.ResultStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ResultStatus\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ResultStatus\"}}},{\"count\":0,\"name\":\"data.office365.SecurityComplianceCenterEventType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Site\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Site\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Site\"}}},{\"count\":0,\"name\":\"data.office365.SiteUrl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.SiteUrl\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.SiteUrl\"}}},{\"count\":0,\"name\":\"data.office365.Source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Source\"}}},{\"count\":0,\"name\":\"data.office365.SourceFileExtension\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.SourceFileExtension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.SourceFileExtension\"}}},{\"count\":0,\"name\":\"data.office365.SourceFileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.SourceFileName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.SourceFileName\"}}},{\"count\":0,\"name\":\"data.office365.SourceRelativeUrl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.SourceRelativeUrl\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.SourceRelativeUrl\"}}},{\"count\":0,\"name\":\"data.office365.StartTime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Subscription\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Subscription\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Subscription\"}}},{\"count\":0,\"name\":\"data.office365.SupportTicketId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.SupportTicketId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.SupportTicketId\"}}},{\"count\":0,\"name\":\"data.office365.Target.ID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Target.ID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Target.ID\"}}},{\"count\":0,\"name\":\"data.office365.Target.Type\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.TargetContextId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.TargetContextId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.TargetContextId\"}}},{\"count\":0,\"name\":\"data.office365.TargetUserOrGroupName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.TargetUserOrGroupName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.TargetUserOrGroupName\"}}},{\"count\":0,\"name\":\"data.office365.TargetUserOrGroupType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.TargetUserOrGroupType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.TargetUserOrGroupType\"}}},{\"count\":0,\"name\":\"data.office365.TemplateTypeId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.TemplateTypeId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.TemplateTypeId\"}}},{\"count\":0,\"name\":\"data.office365.UserAgent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.UserAgent\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.UserAgent\"}}},{\"count\":0,\"name\":\"data.office365.UserId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.UserId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.UserId\"}}},{\"count\":0,\"name\":\"data.office365.UserKey\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.UserKey\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.UserKey\"}}},{\"count\":0,\"name\":\"data.office365.UserServicePlan\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.UserServicePlan\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.UserServicePlan\"}}},{\"count\":0,\"name\":\"data.office365.UserType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.WebId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.WebId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.WebId\"}}},{\"count\":0,\"name\":\"data.office365.Workload\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Workload\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Workload\"}}},{\"count\":0,\"name\":\"data.oscap.check.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.description\"}}},{\"count\":0,\"name\":\"data.oscap.check.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.id\"}}},{\"count\":0,\"name\":\"data.oscap.check.identifiers\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.identifiers\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.identifiers\"}}},{\"count\":0,\"name\":\"data.oscap.check.oval.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.oval.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.oval.id\"}}},{\"count\":0,\"name\":\"data.oscap.check.rationale\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.rationale\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.rationale\"}}},{\"count\":0,\"name\":\"data.oscap.check.references\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.references\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.references\"}}},{\"count\":0,\"name\":\"data.oscap.check.result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.result\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.result\"}}},{\"count\":0,\"name\":\"data.oscap.check.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.severity\"}}},{\"count\":0,\"name\":\"data.oscap.check.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.title\"}}},{\"count\":0,\"name\":\"data.oscap.scan.benchmark.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.benchmark.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.benchmark.id\"}}},{\"count\":0,\"name\":\"data.oscap.scan.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.content\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.content\"}}},{\"count\":0,\"name\":\"data.oscap.scan.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.id\"}}},{\"count\":0,\"name\":\"data.oscap.scan.profile.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.profile.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.profile.id\"}}},{\"count\":0,\"name\":\"data.oscap.scan.profile.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.profile.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.profile.title\"}}},{\"count\":0,\"name\":\"data.oscap.scan.score\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.score\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.score\"}}},{\"count\":0,\"name\":\"data.osquery.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.action\"}}},{\"count\":0,\"name\":\"data.osquery.calendarTime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.osquery.columns.atime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.atime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.atime\"}}},{\"count\":0,\"name\":\"data.osquery.columns.average_memory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.average_memory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.average_memory\"}}},{\"count\":0,\"name\":\"data.osquery.columns.avg_system_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.avg_system_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.avg_system_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.avg_user_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.avg_user_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.avg_user_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.block_size\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.block_size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.block_size\"}}},{\"count\":0,\"name\":\"data.osquery.columns.blocks\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.blocks\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.blocks\"}}},{\"count\":0,\"name\":\"data.osquery.columns.blocks_available\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.blocks_available\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.blocks_available\"}}},{\"count\":0,\"name\":\"data.osquery.columns.blocks_free\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.blocks_free\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.blocks_free\"}}},{\"count\":0,\"name\":\"data.osquery.columns.blocks_size\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.blocks_size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.blocks_size\"}}},{\"count\":0,\"name\":\"data.osquery.columns.build_distro\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.build_distro\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.build_distro\"}}},{\"count\":0,\"name\":\"data.osquery.columns.build_platform\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.build_platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.build_platform\"}}},{\"count\":0,\"name\":\"data.osquery.columns.bytes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.bytes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.bytes\"}}},{\"count\":0,\"name\":\"data.osquery.columns.chain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.chain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.chain\"}}},{\"count\":0,\"name\":\"data.osquery.columns.config_hash\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.config_hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.config_hash\"}}},{\"count\":0,\"name\":\"data.osquery.columns.config_valid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.config_valid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.config_valid\"}}},{\"count\":0,\"name\":\"data.osquery.columns.counter\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.counter\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.counter\"}}},{\"count\":0,\"name\":\"data.osquery.columns.ctime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.ctime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.ctime\"}}},{\"count\":0,\"name\":\"data.osquery.columns.device\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.device\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.device\"}}},{\"count\":0,\"name\":\"data.osquery.columns.device_alias\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.device_alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.device_alias\"}}},{\"count\":0,\"name\":\"data.osquery.columns.dst_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.dst_ip\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.dst_ip\"}}},{\"count\":0,\"name\":\"data.osquery.columns.dst_mask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.dst_mask\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.dst_mask\"}}},{\"count\":0,\"name\":\"data.osquery.columns.end\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.end\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.end\"}}},{\"count\":0,\"name\":\"data.osquery.columns.executions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.executions\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.executions\"}}},{\"count\":0,\"name\":\"data.osquery.columns.extensions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.extensions\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.extensions\"}}},{\"count\":0,\"name\":\"data.osquery.columns.filter_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.filter_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.filter_name\"}}},{\"count\":0,\"name\":\"data.osquery.columns.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.flags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.flags\"}}},{\"count\":0,\"name\":\"data.osquery.columns.gid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.gid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.gid\"}}},{\"count\":0,\"name\":\"data.osquery.columns.iniface\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.iniface\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.iniface\"}}},{\"count\":0,\"name\":\"data.osquery.columns.inode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.inode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.inode\"}}},{\"count\":0,\"name\":\"data.osquery.columns.inodes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.inodes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.inodes\"}}},{\"count\":0,\"name\":\"data.osquery.columns.inodes_free\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.inodes_free\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.inodes_free\"}}},{\"count\":0,\"name\":\"data.osquery.columns.instance_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.instance_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.instance_id\"}}},{\"count\":0,\"name\":\"data.osquery.columns.interval\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.interval\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.interval\"}}},{\"count\":0,\"name\":\"data.osquery.columns.key\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.key\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.key\"}}},{\"count\":0,\"name\":\"data.osquery.columns.last_executed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.last_executed\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.last_executed\"}}},{\"count\":0,\"name\":\"data.osquery.columns.match\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.match\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.match\"}}},{\"count\":0,\"name\":\"data.osquery.columns.memory_free\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.memory_free\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.memory_free\"}}},{\"count\":0,\"name\":\"data.osquery.columns.memory_free_perc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.memory_free_perc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.memory_free_perc\"}}},{\"count\":0,\"name\":\"data.osquery.columns.memory_total\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.memory_total\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.memory_total\"}}},{\"count\":0,\"name\":\"data.osquery.columns.mode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.mode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.mode\"}}},{\"count\":0,\"name\":\"data.osquery.columns.mtime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.mtime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.mtime\"}}},{\"count\":0,\"name\":\"data.osquery.columns.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.name\"}}},{\"count\":0,\"name\":\"data.osquery.columns.offset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.offset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.offset\"}}},{\"count\":0,\"name\":\"data.osquery.columns.outiface\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.outiface\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.outiface\"}}},{\"count\":0,\"name\":\"data.osquery.columns.outiface_mask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.outiface_mask\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.outiface_mask\"}}},{\"count\":0,\"name\":\"data.osquery.columns.output_size\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.output_size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.output_size\"}}},{\"count\":0,\"name\":\"data.osquery.columns.packets\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.packets\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.packets\"}}},{\"count\":0,\"name\":\"data.osquery.columns.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.path\"}}},{\"count\":0,\"name\":\"data.osquery.columns.permissions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.permissions\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.permissions\"}}},{\"count\":0,\"name\":\"data.osquery.columns.pid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.pid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.pid\"}}},{\"count\":0,\"name\":\"data.osquery.columns.policy\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.policy\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.policy\"}}},{\"count\":0,\"name\":\"data.osquery.columns.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.protocol\"}}},{\"count\":0,\"name\":\"data.osquery.columns.pseudo\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.pseudo\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.pseudo\"}}},{\"count\":0,\"name\":\"data.osquery.columns.resident_size\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.resident_size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.resident_size\"}}},{\"count\":0,\"name\":\"data.osquery.columns.src_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.src_ip\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.src_ip\"}}},{\"count\":0,\"name\":\"data.osquery.columns.src_mask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.src_mask\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.src_mask\"}}},{\"count\":0,\"name\":\"data.osquery.columns.start\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.start\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.start\"}}},{\"count\":0,\"name\":\"data.osquery.columns.start_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.start_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.start_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.system_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.system_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.system_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.target\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.target\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.target\"}}},{\"count\":0,\"name\":\"data.osquery.columns.threshold\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.threshold\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.threshold\"}}},{\"count\":0,\"name\":\"data.osquery.columns.time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.tty\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.tty\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.tty\"}}},{\"count\":0,\"name\":\"data.osquery.columns.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.type\"}}},{\"count\":0,\"name\":\"data.osquery.columns.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.uid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.uid\"}}},{\"count\":0,\"name\":\"data.osquery.columns.user_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.user_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.user_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.uuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.uuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.uuid\"}}},{\"count\":0,\"name\":\"data.osquery.columns.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.value\"}}},{\"count\":0,\"name\":\"data.osquery.columns.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.version\"}}},{\"count\":0,\"name\":\"data.osquery.columns.wall_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.wall_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.wall_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.watcher\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.watcher\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.watcher\"}}},{\"count\":0,\"name\":\"data.osquery.counter\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.counter\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.counter\"}}},{\"count\":0,\"name\":\"data.osquery.epoch\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.epoch\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.epoch\"}}},{\"count\":0,\"name\":\"data.osquery.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.name\"}}},{\"count\":0,\"name\":\"data.osquery.pack\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.pack\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.pack\"}}},{\"count\":0,\"name\":\"data.osquery.subquery\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.subquery\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.subquery\"}}},{\"count\":0,\"name\":\"data.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.protocol\"}}},{\"count\":0,\"name\":\"data.scope\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.scope\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.scope\"}}},{\"count\":0,\"name\":\"data.srcip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.srcip\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.srcip\"}}},{\"count\":0,\"name\":\"data.srcport\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.srcport\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.srcport\"}}},{\"count\":0,\"name\":\"data.srcuser\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.srcuser\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.srcuser\"}}},{\"count\":0,\"name\":\"data.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.status\"}}},{\"count\":0,\"name\":\"data.system_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.system_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.system_name\"}}},{\"count\":0,\"name\":\"data.time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.time\"}}},{\"count\":0,\"name\":\"data.timeNano\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.timeNano\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.timeNano\"}}},{\"count\":0,\"name\":\"data.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.title\"}}},{\"count\":0,\"name\":\"data.tty\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.tty\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.tty\"}}},{\"count\":0,\"name\":\"data.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.type\"}}},{\"count\":0,\"name\":\"data.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.uid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.uid\"}}},{\"count\":0,\"name\":\"data.url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.url\"}}},{\"count\":0,\"name\":\"data.virustotal.found\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.found\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.found\"}}},{\"count\":0,\"name\":\"data.virustotal.malicious\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.virustotal.permalink\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.permalink\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.permalink\"}}},{\"count\":0,\"name\":\"data.virustotal.positives\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.positives\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.positives\"}}},{\"count\":0,\"name\":\"data.virustotal.scan_date\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.virustotal.source.alert_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.source.alert_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.source.alert_id\"}}},{\"count\":0,\"name\":\"data.virustotal.source.file\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.source.file\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.source.file\"}}},{\"count\":0,\"name\":\"data.virustotal.source.md5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.source.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.source.md5\"}}},{\"count\":0,\"name\":\"data.virustotal.source.sha1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.source.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.source.sha1\"}}},{\"count\":0,\"name\":\"data.virustotal.total\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.total\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.total\"}}},{\"count\":0,\"name\":\"data.vulnerability.assigner\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.assigner\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.assigner\"}}},{\"count\":0,\"name\":\"data.vulnerability.bugzilla_references\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.bugzilla_references\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.bugzilla_references\"}}},{\"count\":0,\"name\":\"data.vulnerability.cve\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cve\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cve\"}}},{\"count\":0,\"name\":\"data.vulnerability.cve_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cve_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cve_version\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.base_score\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.base_score\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.base_score\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.access_complexity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.access_complexity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.access_complexity\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.attack_vector\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.attack_vector\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.attack_vector\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.authentication\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.authentication\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.authentication\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.availability\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.availability\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.availability\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.confidentiality_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.confidentiality_impact\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.confidentiality_impact\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.integrity_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.integrity_impact\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.integrity_impact\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.base_score\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.base_score\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.base_score\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.access_complexity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.access_complexity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.access_complexity\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.attack_vector\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.attack_vector\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.attack_vector\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.availability\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.availability\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.availability\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.confidentiality_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.confidentiality_impact\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.confidentiality_impact\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.integrity_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.integrity_impact\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.integrity_impact\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.privileges_required\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.privileges_required\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.privileges_required\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.scope\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.scope\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.scope\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.user_interaction\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.user_interaction\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.user_interaction\"}}},{\"count\":0,\"name\":\"data.vulnerability.cwe_reference\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cwe_reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cwe_reference\"}}},{\"count\":0,\"name\":\"data.vulnerability.package.architecture\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.package.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.package.architecture\"}}},{\"count\":0,\"name\":\"data.vulnerability.package.condition\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.package.condition\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.package.condition\"}}},{\"count\":0,\"name\":\"data.vulnerability.package.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.package.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.package.name\"}}},{\"count\":0,\"name\":\"data.vulnerability.package.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.package.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.package.source\"}}},{\"count\":0,\"name\":\"data.vulnerability.package.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.package.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.package.version\"}}},{\"count\":0,\"name\":\"data.vulnerability.published\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.vulnerability.rationale\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.rationale\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.rationale\"}}},{\"count\":0,\"name\":\"data.vulnerability.references\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.references\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.references\"}}},{\"count\":0,\"name\":\"data.vulnerability.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.severity\"}}},{\"count\":0,\"name\":\"data.vulnerability.state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.state\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.state\"}}},{\"count\":0,\"name\":\"data.vulnerability.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.title\"}}},{\"count\":0,\"name\":\"data.vulnerability.updated\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.win.eventdata.authenticationPackageName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.authenticationPackageName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.authenticationPackageName\"}}},{\"count\":0,\"name\":\"data.win.eventdata.failureReason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.failureReason\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.failureReason\"}}},{\"count\":0,\"name\":\"data.win.eventdata.ipAddress\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.ipAddress\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.ipAddress\"}}},{\"count\":0,\"name\":\"data.win.eventdata.ipPort\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.ipPort\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.ipPort\"}}},{\"count\":0,\"name\":\"data.win.eventdata.keyLength\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.win.eventdata.logonProcessName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.logonProcessName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.logonProcessName\"}}},{\"count\":0,\"name\":\"data.win.eventdata.logonType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.logonType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.logonType\"}}},{\"count\":0,\"name\":\"data.win.eventdata.processId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.processId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.processId\"}}},{\"count\":0,\"name\":\"data.win.eventdata.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.status\"}}},{\"count\":0,\"name\":\"data.win.eventdata.subStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.subStatus\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.subStatus\"}}},{\"count\":0,\"name\":\"data.win.eventdata.subjectLogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.subjectLogonId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.subjectLogonId\"}}},{\"count\":0,\"name\":\"data.win.eventdata.subjectUserSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.subjectUserSid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.subjectUserSid\"}}},{\"count\":0,\"name\":\"data.win.eventdata.targetUserName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.targetUserName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.targetUserName\"}}},{\"count\":0,\"name\":\"data.win.system.channel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.channel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.channel\"}}},{\"count\":0,\"name\":\"data.win.system.computer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.computer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.computer\"}}},{\"count\":0,\"name\":\"data.win.system.eventID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.eventID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.eventID\"}}},{\"count\":0,\"name\":\"data.win.system.eventRecordID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.eventRecordID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.eventRecordID\"}}},{\"count\":0,\"name\":\"data.win.systems\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.systems\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.systems\"}}},{\"count\":0,\"name\":\"data.win.system.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.level\"}}},{\"count\":0,\"name\":\"data.win.system.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.message\"}}},{\"count\":0,\"name\":\"data.win.system.opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.opcode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.opcode\"}}},{\"count\":0,\"name\":\"data.win.system.processID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.processID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.processID\"}}},{\"count\":0,\"name\":\"data.win.system.providerGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.providerGuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.providerGuid\"}}},{\"count\":0,\"name\":\"data.win.system.providerName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.providerName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.providerName\"}}},{\"count\":0,\"name\":\"data.win.system.severityValue\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.severityValue\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.severityValue\"}}},{\"count\":0,\"name\":\"data.win.system.systemTime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.win.system.task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.task\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.task\"}}},{\"count\":0,\"name\":\"data.win.system.threadID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.threadID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.threadID\"}}},{\"count\":0,\"name\":\"data.win.system.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.version\"}}},{\"count\":0,\"name\":\"decoder.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"decoder.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"decoder.name\"}}},{\"count\":0,\"name\":\"decoder.parent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"decoder.parent\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"decoder.parent\"}}},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.original\"}}},{\"count\":0,\"name\":\"fields.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"full_log\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"full_log\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"full_log\"}}},{\"count\":0,\"name\":\"host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"host\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host\"}}},{\"count\":0,\"name\":\"id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"id\"}}},{\"count\":0,\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"input.type\"}}},{\"count\":0,\"name\":\"location\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"location\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"location\"}}},{\"count\":0,\"name\":\"manager.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"manager.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"manager.name\"}}},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"count\":0,\"name\":\"path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"path\"}}},{\"count\":0,\"name\":\"predecoder.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"predecoder.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"predecoder.hostname\"}}},{\"count\":0,\"name\":\"predecoder.program_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"predecoder.program_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"predecoder.program_name\"}}},{\"count\":0,\"name\":\"predecoder.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"predecoder.timestamp\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"predecoder.timestamp\"}}},{\"count\":0,\"name\":\"previous_output\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"previous_output\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"previous_output\"}}},{\"count\":0,\"name\":\"rule.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.description\"}}},{\"count\":0,\"name\":\"rule.details.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.category\"}}},{\"count\":0,\"name\":\"rule.details.decoded_as\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.decoded_as\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.decoded_as\"}}},{\"count\":0,\"name\":\"rule.details.frequency\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.frequency\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.frequency\"}}},{\"count\":0,\"name\":\"rule.details.group\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.group\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.group\"}}},{\"count\":0,\"name\":\"rule.details.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.hostname\"}}},{\"count\":0,\"name\":\"rule.details.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.id\"}}},{\"count\":0,\"name\":\"rule.details.if_fts\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.if_fts\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.if_fts\"}}},{\"count\":0,\"name\":\"rule.details.if_matched_sid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.if_matched_sid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.if_matched_sid\"}}},{\"count\":0,\"name\":\"rule.details.if_sid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.if_sid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.if_sid\"}}},{\"count\":0,\"name\":\"rule.details.ignore\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.ignore\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.ignore\"}}},{\"count\":0,\"name\":\"rule.details.match\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.match\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.match\"}}},{\"count\":0,\"name\":\"rule.details.maxsize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.maxsize\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.maxsize\"}}},{\"count\":0,\"name\":\"rule.details.noalert\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.noalert\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.noalert\"}}},{\"count\":0,\"name\":\"rule.details.regex\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.regex\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.regex\"}}},{\"count\":0,\"name\":\"rule.details.same_source_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.same_source_ip\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.same_source_ip\"}}},{\"count\":0,\"name\":\"rule.details.timeframe\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.timeframe\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.timeframe\"}}},{\"count\":0,\"name\":\"rule.details.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.user\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.user\"}}},{\"count\":0,\"name\":\"rule.filename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.filename\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.filename\"}}},{\"count\":0,\"name\":\"rule.firedtimes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.frequency\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.gdpr\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.gdpr\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gdpr\"}}},{\"count\":0,\"name\":\"rule.gpg13\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.gpg13\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gpg13\"}}},{\"count\":0,\"name\":\"rule.groups\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.groups\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.groups\"}}},{\"count\":0,\"name\":\"rule.hipaa\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.hipaa\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.hipaa\"}}},{\"count\":0,\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.id\"}}},{\"count\":0,\"name\":\"rule.info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.info\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.info\"}}},{\"count\":0,\"name\":\"rule.level\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.mail\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.mitre.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.mitre.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.id\"}}},{\"count\":0,\"name\":\"rule.mitre.tactic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.mitre.tactic\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.tactic\"}}},{\"count\":0,\"name\":\"rule.mitre.technique\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.mitre.technique\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.technique\"}}},{\"count\":0,\"name\":\"rule.nist_800_53\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.nist_800_53\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.nist_800_53\"}}},{\"count\":0,\"name\":\"rule.pci\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.pci\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.pci\"}}},{\"count\":0,\"name\":\"rule.pci_dss\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.pci_dss\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.pci_dss\"}}},{\"count\":0,\"name\":\"rule.relative_dirname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.relative_dirname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.relative_dirname\"}}},{\"count\":0,\"name\":\"rule.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.status\"}}},{\"count\":0,\"name\":\"rule.tsc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.tsc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.tsc\"}}},{\"count\":0,\"name\":\"syscheck.audit.effective_user.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.audit.effective_user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.audit.effective_user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.audit.effective_user.name\"}}},{\"count\":0,\"name\":\"syscheck.audit.group.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.audit.group.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.audit.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.audit.group.name\"}}},{\"count\":0,\"name\":\"syscheck.audit.process.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.audit.process.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.audit.process.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.audit.process.name\"}}},{\"count\":0,\"name\":\"syscheck.audit.process.ppid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.audit.user.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.audit.user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.audit.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.audit.user.name\"}}},{\"count\":0,\"name\":\"syscheck.changed_attributes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.changed_attributes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.changed_attributes\"}}},{\"count\":0,\"name\":\"syscheck.event\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.event\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.event\"}}},{\"count\":0,\"name\":\"syscheck.gid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.gid_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.gid_after\"}}},{\"count\":0,\"name\":\"syscheck.gname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.gname_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.gname_after\"}}},{\"count\":0,\"name\":\"syscheck.inode_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.inode_before\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.md5_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.md5_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.md5_after\"}}},{\"count\":0,\"name\":\"syscheck.mtime_after\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.mtime_before\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.path\"}}},{\"count\":0,\"name\":\"syscheck.perm_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.perm_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.perm_after\"}}},{\"count\":0,\"name\":\"syscheck.sha1_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.sha1_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.sha1_after\"}}},{\"count\":0,\"name\":\"syscheck.sha256_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.sha256_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.sha256_after\"}}},{\"count\":0,\"name\":\"syscheck.size_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.tags\"}}},{\"count\":0,\"name\":\"syscheck.uid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.uid_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.uid_after\"}}},{\"count\":0,\"name\":\"syscheck.uname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.uname_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.uname_after\"}}},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"count\":0,\"name\":\"timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","timeFieldName":"timestamp","title":"wazuh-alerts-4.x*"},"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2023-04-25T12:32:41.780Z","version":"WzEsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Events by source over time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Events by source over time\",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.aws.source\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"area\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"interpolate\":\"cardinal\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"left\",\"times\":[],\"addTimeMarker\":false,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}}}"},"id":"af813ab0-c74b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzIsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sources","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sources\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.aws.source\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"bf8f2f20-c74b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzMsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Events","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Events\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.aws.source\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.aws.source\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"06ecaf50-c74c-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzQsMV0="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"2.6.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":31,\"h\":15,\"i\":\"0924fcf8-b0d4-4f61-8f3a-da19850bc9d1\"},\"panelIndex\":\"0924fcf8-b0d4-4f61-8f3a-da19850bc9d1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":31,\"y\":0,\"w\":17,\"h\":15,\"i\":\"38fdffd3-ddbf-4d98-9904-877c98ecfa1b\"},\"panelIndex\":\"38fdffd3-ddbf-4d98-9904-877c98ecfa1b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":0,\"y\":15,\"w\":48,\"h\":15,\"i\":\"7930046b-8b17-4906-a0fe-ba2cc3ae9f15\"},\"panelIndex\":\"7930046b-8b17-4906-a0fe-ba2cc3ae9f15\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"wazuh-amazon-aws-v1.0","version":1},"id":"d9881710-c74c-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"af813ab0-c74b-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"bf8f2f20-c74b-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"06ecaf50-c74c-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzUsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top 5 events","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Top 5 events\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.docker.Action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"6987a560-c74d-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzYsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Events by source over time - Docker","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Events by source over time - Docker\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-7d\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.docker.Type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"ad3b5770-c74d-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzcsMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Events - Docker","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Events - Docker\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.docker.Type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.docker.type\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.docker.Actor.ID\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.docker.actor.id\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.docker.Action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.docker.action\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"},{\"id\":\"8\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"9\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"row\":true}}"},"id":"199c8ce0-c74e-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzgsMV0="} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"0d9f05f5-49cc-46cd-8855-b9540d3fa606\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"0d9f05f5-49cc-46cd-8855-b9540d3fa606\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"a0d416d1-138e-41be-9576-79feedb9109b\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"a0d416d1-138e-41be-9576-79feedb9109b\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"d1117074-306a-4615-94f2-3b60602cb5a7\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"d1117074-306a-4615-94f2-3b60602cb5a7\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"wazuh-docker-listener-v1.0","version":1},"id":"38d43040-c74e-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"6987a560-c74d-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"ad3b5770-c74d-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"199c8ce0-c74e-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzksMV0="} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Alert groups","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Alert groups\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.groups\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"a8a6e5c0-c74e-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzEwLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Events - Incident response","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Events - Incident response\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.groups:audit\",\"language\":\"lucene\"},\"label\":\"audit\"},{\"input\":{\"query\":\"rule.groups:audit_command\",\"language\":\"lucene\"},\"label\":\"audit_command\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"52998510-c74f-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzExLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Incident response","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Incident response\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.groups\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.groups\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"a3b734b0-c74f-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzEyLDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"3507da76-6874-4aa3-8968-3e0ddd11aa19\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"3507da76-6874-4aa3-8968-3e0ddd11aa19\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"b0a18b5d-447b-4e88-acd2-e14d22289a28\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"b0a18b5d-447b-4e88-acd2-e14d22289a28\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"05aa4c38-33a5-4fec-a35a-e0bb200679c1\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"05aa4c38-33a5-4fec-a35a-e0bb200679c1\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"wazuh-incident-response-v1.0","version":1},"id":"f70272b0-c74f-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"a8a6e5c0-c74e-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"52998510-c74f-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"a3b734b0-c74f-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzEzLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Critical severity alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Critical severity alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Critical Severity Alerts\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"data.vulnerability.severity:Critical\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"f578e750-c761-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE0LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"High Severity Alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"High Severity Alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"High Severity Alerts\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"data.vulnerability.severity:High\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Blues\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"2f6e17a0-c762-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Medium Severity Alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Medium Severity Alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Medium Severity Alerts\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"data.vulnerability.severity:Medium\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Greens\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"3e23cf10-c762-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE2LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Alert severity","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Alert severity\",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.severity\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"area\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"interpolate\":\"cardinal\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}}}"},"id":"6191a210-c762-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE3LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Low Severity Alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Low Severity Alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Low Severity Alerts\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"data.vulnerability.severity:Low\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Greys\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60},\"outline\":true}}}"},"id":"456d3220-c762-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE4LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Vulnerabilities heat map","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Vulnerabilities heat map\",\"type\":\"heatmap\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.severity\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"heatmap\",\"addTooltip\":true,\"addLegend\":true,\"enableHover\":false,\"legendPosition\":\"right\",\"times\":[],\"colorsNumber\":4,\"colorSchema\":\"Greens\",\"setColorRange\":false,\"colorsRange\":[],\"invertColors\":false,\"percentageMode\":false,\"valueAxes\":[{\"show\":false,\"id\":\"ValueAxis-1\",\"type\":\"value\",\"scale\":{\"type\":\"linear\",\"defaultYExtents\":false},\"labels\":{\"show\":false,\"rotate\":0,\"overwriteColor\":false,\"color\":\"black\"}}]}}"},"id":"4458bf70-c763-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE5LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Vulnerabilities events","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Vulnerabilities events\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.cve\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.vulnerability.cve\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.package.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.vulnerability.package.name\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.package.version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.vulnerability.package.version\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.severity\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.vulnerability.severity\"},\"schema\":\"bucket\"},{\"id\":\"8\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"d38ba460-c762-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzIwLDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":8,\"i\":\"c4678c05-c58e-498f-9fb8-86b670931003\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"c4678c05-c58e-498f-9fb8-86b670931003\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":8,\"i\":\"594ca739-c190-471b-b2b6-22e69c233d1b\",\"w\":8,\"x\":16,\"y\":0},\"panelIndex\":\"594ca739-c190-471b-b2b6-22e69c233d1b\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":8,\"i\":\"d01a6629-e443-49cf-91a3-c5638aff61bd\",\"w\":8,\"x\":24,\"y\":0},\"panelIndex\":\"d01a6629-e443-49cf-91a3-c5638aff61bd\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"bd0de8bc-0485-449e-9855-59aedd50bc43\",\"w\":24,\"x\":0,\"y\":8},\"panelIndex\":\"bd0de8bc-0485-449e-9855-59aedd50bc43\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":8,\"i\":\"c0bdf80f-5074-40b7-afe5-f08a5e9c3014\",\"w\":8,\"x\":32,\"y\":0},\"panelIndex\":\"c0bdf80f-5074-40b7-afe5-f08a5e9c3014\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":15,\"i\":\"7fa7010e-6f7c-47ab-88dd-4bb2233779d0\",\"w\":24,\"x\":24,\"y\":8},\"panelIndex\":\"7fa7010e-6f7c-47ab-88dd-4bb2233779d0\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"hidePanelTitles\":false,\"title\":\"Events\"},\"gridData\":{\"h\":16,\"i\":\"75d0531f-26fe-4436-a32d-b043b362e701\",\"w\":48,\"x\":0,\"y\":23},\"panelIndex\":\"75d0531f-26fe-4436-a32d-b043b362e701\",\"title\":\"Events\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"wazuh-vulnerabilities-v1.0","version":1},"id":"4e776290-c763-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"f578e750-c761-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"2f6e17a0-c762-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"3e23cf10-c762-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"},{"id":"6191a210-c762-11ed-a68b-6f8500ccee6f","name":"panel_3","type":"visualization"},{"id":"456d3220-c762-11ed-a68b-6f8500ccee6f","name":"panel_4","type":"visualization"},{"id":"4458bf70-c763-11ed-a68b-6f8500ccee6f","name":"panel_5","type":"visualization"},{"id":"d38ba460-c762-11ed-a68b-6f8500ccee6f","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzIxLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Total alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Total alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Total\"},\"schema\":\"metric\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":true,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Blues\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":50},{\"from\":50,\"to\":75},{\"from\":75,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"6e52b9a0-c75b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzIyLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Level 12 or above alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Level 12 or above alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Level 12 alerts\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.level:[12 TO *]\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"vertical\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Yellow to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"53c84aa0-c75b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzIzLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Authentication failure","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Authentication failure\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Authentication failure\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.groups:authentication_failed OR rule.groups:win_authentication_failed OR rule.groups:authentication_failures\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":50},{\"from\":50,\"to\":75},{\"from\":75,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"bdd13830-c75b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI0LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Authentication success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Authentication success\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Authentication success\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.groups:authentication_success\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Greens\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"fe649770-c75b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Alert level evolution","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Alert level evolution\",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}}}"},"id":"2911c5f0-c75d-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI2LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top MITRE ATT&CKS","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Top MITRE ATT&CKS\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.mitre.technique\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"0ce036a0-c75d-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI3LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security alerts main","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security alerts main\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.mitre.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.mitre.id\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.mitre.tactic\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.mitre.tactic\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"},{\"id\":\"8\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"9\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"8d9dc120-c75f-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI4LDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"2.6.0\",\"gridData\":{\"h\":7,\"i\":\"e44a9c01-a2c9-438b-a154-96371c1e2891\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"e44a9c01-a2c9-438b-a154-96371c1e2891\",\"embeddableConfig\":{\"vis\":null},\"panelRefName\":\"panel_0\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":7,\"i\":\"097d0314-72ee-4cfb-8a0b-b5a61fd76065\",\"w\":8,\"x\":16,\"y\":0},\"panelIndex\":\"097d0314-72ee-4cfb-8a0b-b5a61fd76065\",\"embeddableConfig\":{\"vis\":null},\"panelRefName\":\"panel_1\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":7,\"i\":\"1e0deab6-69be-4a8b-8945-9e52bc285425\",\"w\":8,\"x\":24,\"y\":0},\"panelIndex\":\"1e0deab6-69be-4a8b-8945-9e52bc285425\",\"embeddableConfig\":{\"vis\":null},\"panelRefName\":\"panel_2\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":7,\"i\":\"54fc31bf-4bf5-4433-be5e-cd4c60862cea\",\"w\":8,\"x\":32,\"y\":0},\"panelIndex\":\"54fc31bf-4bf5-4433-be5e-cd4c60862cea\",\"embeddableConfig\":{\"vis\":null},\"panelRefName\":\"panel_3\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":14,\"i\":\"7ed5bb88-5819-4b2b-8989-8e8a7cc0424e\",\"w\":32,\"x\":0,\"y\":7},\"panelIndex\":\"7ed5bb88-5819-4b2b-8989-8e8a7cc0424e\",\"embeddableConfig\":{\"title\":\"Alert level evolution - Top 5 agents\",\"hidePanelTitles\":false},\"title\":\"Alert level evolution - Top 5 agents\",\"panelRefName\":\"panel_4\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":14,\"i\":\"fd99c43a-4b02-47b8-b89f-9e1aaf56d158\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"fd99c43a-4b02-47b8-b89f-9e1aaf56d158\",\"embeddableConfig\":{\"title\":\"Top Mitre ATT&K tactics\",\"hidePanelTitles\":false},\"title\":\"Top Mitre ATT&K tactics\",\"panelRefName\":\"panel_5\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":18,\"i\":\"a30fe8ed-edb1-4531-9735-7e5fe8dfb61b\",\"w\":48,\"x\":0,\"y\":21},\"panelIndex\":\"a30fe8ed-edb1-4531-9735-7e5fe8dfb61b\",\"embeddableConfig\":{\"title\":\"Security alerts\",\"hidePanelTitles\":false},\"title\":\"Security alerts\",\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"wazuh-security-events-v1.0","version":1},"id":"a22b3850-c761-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"6e52b9a0-c75b-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"53c84aa0-c75b-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"bdd13830-c75b-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"},{"id":"fe649770-c75b-11ed-a68b-6f8500ccee6f","name":"panel_3","type":"visualization"},{"id":"2911c5f0-c75d-11ed-a68b-6f8500ccee6f","name":"panel_4","type":"visualization"},{"id":"0ce036a0-c75d-11ed-a68b-6f8500ccee6f","name":"panel_5","type":"visualization"},{"id":"8d9dc120-c75f-11ed-a68b-6f8500ccee6f","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI5LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Emotet malware activity","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Emotet malware activity\",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.groups:\\\"rootcheck\\\"\",\"language\":\"kuery\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\",\"setYExtents\":false,\"defaultYExtents\":false},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"area\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}}}"},"id":"432de3c0-c752-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzMwLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Rootkits activity over time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Rootkits activity over time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.title\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":3,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"a7146210-c752-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzMxLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security alerts\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"8\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.mitre.technique\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.mitre.tactic\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.mitre.tactic\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"eb787860-c752-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzMyLDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"4653581e-fa04-47ea-a762-e404e5fab8d1\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"4653581e-fa04-47ea-a762-e404e5fab8d1\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"0b6caedd-1e6e-4a5d-8904-13343c868083\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"0b6caedd-1e6e-4a5d-8904-13343c868083\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"ad008586-6a43-4c7b-8a41-93a85d40ee6f\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"ad008586-6a43-4c7b-8a41-93a85d40ee6f\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"wazuh-malware-detection-v1.0","version":1},"id":"f5c5a590-c752-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"432de3c0-c752-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"a7146210-c752-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"eb787860-c752-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzMzLDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"PCI DSS requirements","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"PCI DSS requirements\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"radius\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.pci_dss\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":false,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"radiusRatio\":50}}"},"id":"e9144240-c755-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzM0LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Requirements by agent","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Requirements by agent\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.pci_dss\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Requirements\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"300f7e30-c756-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzM1LDFd"} +{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Recent events - PCI DSS","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Recent events - PCI DSS\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.pci_dss\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.pci_dss\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"767e3190-c756-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzM2LDFd"} +{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"c9e8317f-c49c-4dbc-ae0b-8a7ad4e29f01\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"c9e8317f-c49c-4dbc-ae0b-8a7ad4e29f01\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"910f3189-2b70-402b-a1b6-92192307122f\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"910f3189-2b70-402b-a1b6-92192307122f\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":17,\"i\":\"7e59bccf-af12-4898-8165-ef9ff2bec6de\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"7e59bccf-af12-4898-8165-ef9ff2bec6de\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"wazuh-pci-dss-v1.0","version":1},"id":"7f10dd80-c756-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"e9144240-c755-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"300f7e30-c756-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"767e3190-c756-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzM3LDFd"} +{"exportedCount":37,"missingRefCount":0,"missingReferences":[]} diff --git a/integrations/opensearch/logstash/pipeline/indexer-to-opensearch.conf b/integrations/opensearch/logstash/pipeline/indexer-to-opensearch.conf new file mode 100644 index 0000000000000..74d88ae5428f7 --- /dev/null +++ b/integrations/opensearch/logstash/pipeline/indexer-to-opensearch.conf @@ -0,0 +1,38 @@ +input { + opensearch { + hosts => ["wazuh.indexer:9200"] + user => "admin" + password => "admin" + index => "wazuh-alerts-4.x-*" + ssl => true + ca_file => "/etc/ssl/root-ca.pem" + query => '{ + "query": { + "range": { + "@timestamp": { + "gt": "now-1m" + } + } + } + }' + schedule => "* * * * *" + } +} +output { + opensearch { + hosts => ["opensearch.node:9200"] + auth_type => { + type => 'basic' + user => 'admin' + password => 'admin' + } + index => "wazuh-alerts-4.x-%{+YYYY.MM.dd}" + ssl => true + cacert => "/etc/ssl/root-ca.pem" + template => '/usr/share/logstash/pipeline/os_template.json' + template_name => 'wazuh' + template_overwrite => true + legacy_template => false + } +} + diff --git a/integrations/opensearch/logstash/pipeline/os_template.json b/integrations/opensearch/logstash/pipeline/os_template.json new file mode 100644 index 0000000000000..1fee33afc4da8 --- /dev/null +++ b/integrations/opensearch/logstash/pipeline/os_template.json @@ -0,0 +1,2039 @@ +{ + "index_patterns": "wazuh-*", + "template": { + "settings": { + "index": { + "routing": { + "allocation": { + "include": { + "_tier_preference": "data_content" + } + } + }, + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "refresh_interval": "5s", + "number_of_shards": "3", + "auto_expand_replicas": "0-1", + "query": { + "default_field": [ + "GeoLocation.city_name", + "GeoLocation.continent_code", + "GeoLocation.country_code2", + "GeoLocation.country_code3", + "GeoLocation.country_name", + "GeoLocation.ip", + "GeoLocation.postal_code", + "GeoLocation.real_region_name", + "GeoLocation.region_name", + "GeoLocation.timezone", + "agent.id", + "agent.ip", + "agent.name", + "cluster.name", + "cluster.node", + "command", + "data", + "data.action", + "data.audit", + "data.audit.acct", + "data.audit.arch", + "data.audit.auid", + "data.audit.command", + "data.audit.cwd", + "data.audit.dev", + "data.audit.directory.inode", + "data.audit.directory.mode", + "data.audit.directory.name", + "data.audit.egid", + "data.audit.enforcing", + "data.audit.euid", + "data.audit.exe", + "data.audit.execve.a0", + "data.audit.execve.a1", + "data.audit.execve.a2", + "data.audit.execve.a3", + "data.audit.exit", + "data.audit.file.inode", + "data.audit.file.mode", + "data.audit.file.name", + "data.audit.fsgid", + "data.audit.fsuid", + "data.audit.gid", + "data.audit.id", + "data.audit.key", + "data.audit.list", + "data.audit.old-auid", + "data.audit.old-ses", + "data.audit.old_enforcing", + "data.audit.old_prom", + "data.audit.op", + "data.audit.pid", + "data.audit.ppid", + "data.audit.prom", + "data.audit.res", + "data.audit.session", + "data.audit.sgid", + "data.audit.srcip", + "data.audit.subj", + "data.audit.success", + "data.audit.suid", + "data.audit.syscall", + "data.audit.tty", + "data.audit.uid", + "data.aws.accountId", + "data.aws.account_id", + "data.aws.action", + "data.aws.actor", + "data.aws.aws_account_id", + "data.aws.description", + "data.aws.dstport", + "data.aws.errorCode", + "data.aws.errorMessage", + "data.aws.eventID", + "data.aws.eventName", + "data.aws.eventSource", + "data.aws.eventType", + "data.aws.id", + "data.aws.name", + "data.aws.requestParameters.accessKeyId", + "data.aws.requestParameters.bucketName", + "data.aws.requestParameters.gatewayId", + "data.aws.requestParameters.groupDescription", + "data.aws.requestParameters.groupId", + "data.aws.requestParameters.groupName", + "data.aws.requestParameters.host", + "data.aws.requestParameters.hostedZoneId", + "data.aws.requestParameters.instanceId", + "data.aws.requestParameters.instanceProfileName", + "data.aws.requestParameters.loadBalancerName", + "data.aws.requestParameters.loadBalancerPorts", + "data.aws.requestParameters.masterUserPassword", + "data.aws.requestParameters.masterUsername", + "data.aws.requestParameters.name", + "data.aws.requestParameters.natGatewayId", + "data.aws.requestParameters.networkAclId", + "data.aws.requestParameters.path", + "data.aws.requestParameters.policyName", + "data.aws.requestParameters.port", + "data.aws.requestParameters.stackId", + "data.aws.requestParameters.stackName", + "data.aws.requestParameters.subnetId", + "data.aws.requestParameters.subnetIds", + "data.aws.requestParameters.volumeId", + "data.aws.requestParameters.vpcId", + "data.aws.resource.accessKeyDetails.accessKeyId", + "data.aws.resource.accessKeyDetails.principalId", + "data.aws.resource.accessKeyDetails.userName", + "data.aws.resource.instanceDetails.instanceId", + "data.aws.resource.instanceDetails.instanceState", + "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", + "data.aws.resource.instanceDetails.networkInterfaces.subnetId", + "data.aws.resource.instanceDetails.networkInterfaces.vpcId", + "data.aws.resource.instanceDetails.tags.value", + "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", + "data.aws.responseElements.description", + "data.aws.responseElements.instanceId", + "data.aws.responseElements.instances.instanceId", + "data.aws.responseElements.instancesSet.items.instanceId", + "data.aws.responseElements.listeners.port", + "data.aws.responseElements.loadBalancerName", + "data.aws.responseElements.loadBalancers.vpcId", + "data.aws.responseElements.loginProfile.userName", + "data.aws.responseElements.networkAcl.vpcId", + "data.aws.responseElements.ownerId", + "data.aws.responseElements.publicIp", + "data.aws.responseElements.user.userId", + "data.aws.responseElements.user.userName", + "data.aws.responseElements.volumeId", + "data.aws.service.serviceName", + "data.aws.severity", + "data.aws.source", + "data.aws.sourceIPAddress", + "data.aws.srcport", + "data.aws.userIdentity.accessKeyId", + "data.aws.userIdentity.accountId", + "data.aws.userIdentity.userName", + "data.aws.vpcEndpointId", + "data.command", + "data.data", + "data.docker.Actor.Attributes.container", + "data.docker.Actor.Attributes.image", + "data.docker.Actor.Attributes.name", + "data.docker.Actor.ID", + "data.docker.id", + "data.docker.message", + "data.docker.status", + "data.dstip", + "data.dstport", + "data.dstuser", + "data.extra_data", + "data.hardware.serial", + "data.id", + "data.integration", + "data.netinfo.iface.adapter", + "data.netinfo.iface.ipv4.address", + "data.netinfo.iface.ipv6.address", + "data.netinfo.iface.mac", + "data.netinfo.iface.name", + "data.os.architecture", + "data.os.build", + "data.os.codename", + "data.os.hostname", + "data.os.major", + "data.os.minor", + "data.os.name", + "data.os.platform", + "data.os.release", + "data.os.release_version", + "data.os.sysname", + "data.os.version", + "data.oscap.check.description", + "data.oscap.check.id", + "data.oscap.check.identifiers", + "data.oscap.check.oval.id", + "data.oscap.check.rationale", + "data.oscap.check.references", + "data.oscap.check.result", + "data.oscap.check.severity", + "data.oscap.check.title", + "data.oscap.scan.benchmark.id", + "data.oscap.scan.content", + "data.oscap.scan.id", + "data.oscap.scan.profile.id", + "data.oscap.scan.profile.title", + "data.osquery.columns.address", + "data.osquery.columns.command", + "data.osquery.columns.description", + "data.osquery.columns.dst_ip", + "data.osquery.columns.gid", + "data.osquery.columns.hostname", + "data.osquery.columns.md5", + "data.osquery.columns.path", + "data.osquery.columns.sha1", + "data.osquery.columns.sha256", + "data.osquery.columns.src_ip", + "data.osquery.columns.user", + "data.osquery.columns.username", + "data.osquery.name", + "data.osquery.pack", + "data.port.process", + "data.port.protocol", + "data.port.state", + "data.process.args", + "data.process.cmd", + "data.process.egroup", + "data.process.euser", + "data.process.fgroup", + "data.process.name", + "data.process.rgroup", + "data.process.ruser", + "data.process.sgroup", + "data.process.state", + "data.process.suser", + "data.program.architecture", + "data.program.description", + "data.program.format", + "data.program.location", + "data.program.multiarch", + "data.program.name", + "data.program.priority", + "data.program.section", + "data.program.source", + "data.program.vendor", + "data.program.version", + "data.protocol", + "data.pwd", + "data.sca", + "data.sca.check.compliance.cis", + "data.sca.check.compliance.cis_csc", + "data.sca.check.compliance.pci_dss", + "data.sca.check.compliance.hipaa", + "data.sca.check.compliance.nist_800_53", + "data.sca.check.description", + "data.sca.check.directory", + "data.sca.check.file", + "data.sca.check.id", + "data.sca.check.previous_result", + "data.sca.check.process", + "data.sca.check.rationale", + "data.sca.check.reason", + "data.sca.check.references", + "data.sca.check.registry", + "data.sca.check.remediation", + "data.sca.check.result", + "data.sca.check.status", + "data.sca.check.title", + "data.sca.description", + "data.sca.file", + "data.sca.invalid", + "data.sca.name", + "data.sca.policy", + "data.sca.policy_id", + "data.sca.scan_id", + "data.sca.total_checks", + "data.script", + "data.src_ip", + "data.src_port", + "data.srcip", + "data.srcport", + "data.srcuser", + "data.status", + "data.system_name", + "data.title", + "data.tty", + "data.uid", + "data.url", + "data.virustotal.description", + "data.virustotal.error", + "data.virustotal.found", + "data.virustotal.permalink", + "data.virustotal.scan_date", + "data.virustotal.sha1", + "data.virustotal.source.alert_id", + "data.virustotal.source.file", + "data.virustotal.source.md5", + "data.virustotal.source.sha1", + "data.vulnerability.cve", + "data.vulnerability.cvss.cvss2.base_score", + "data.vulnerability.cvss.cvss2.exploitability_score", + "data.vulnerability.cvss.cvss2.impact_score", + "data.vulnerability.cvss.cvss2.vector.access_complexity", + "data.vulnerability.cvss.cvss2.vector.attack_vector", + "data.vulnerability.cvss.cvss2.vector.authentication", + "data.vulnerability.cvss.cvss2.vector.availability", + "data.vulnerability.cvss.cvss2.vector.confidentiality_impact", + "data.vulnerability.cvss.cvss2.vector.integrity_impact", + "data.vulnerability.cvss.cvss2.vector.privileges_required", + "data.vulnerability.cvss.cvss2.vector.scope", + "data.vulnerability.cvss.cvss2.vector.user_interaction", + "data.vulnerability.cvss.cvss3.base_score", + "data.vulnerability.cvss.cvss3.exploitability_score", + "data.vulnerability.cvss.cvss3.impact_score", + "data.vulnerability.cvss.cvss3.vector.access_complexity", + "data.vulnerability.cvss.cvss3.vector.attack_vector", + "data.vulnerability.cvss.cvss3.vector.authentication", + "data.vulnerability.cvss.cvss3.vector.availability", + "data.vulnerability.cvss.cvss3.vector.confidentiality_impact", + "data.vulnerability.cvss.cvss3.vector.integrity_impact", + "data.vulnerability.cvss.cvss3.vector.privileges_required", + "data.vulnerability.cvss.cvss3.vector.scope", + "data.vulnerability.cvss.cvss3.vector.user_interaction", + "data.vulnerability.cwe_reference", + "data.vulnerability.package.source", + "data.vulnerability.package.architecture", + "data.vulnerability.package.condition", + "data.vulnerability.package.generated_cpe", + "data.vulnerability.package.name", + "data.vulnerability.package.version", + "data.vulnerability.rationale", + "data.vulnerability.severity", + "data.vulnerability.title", + "data.vulnerability.assigner", + "data.vulnerability.cve_version", + "data.win.eventdata.auditPolicyChanges", + "data.win.eventdata.auditPolicyChangesId", + "data.win.eventdata.binary", + "data.win.eventdata.category", + "data.win.eventdata.categoryId", + "data.win.eventdata.data", + "data.win.eventdata.image", + "data.win.eventdata.ipAddress", + "data.win.eventdata.ipPort", + "data.win.eventdata.keyName", + "data.win.eventdata.logonGuid", + "data.win.eventdata.logonProcessName", + "data.win.eventdata.operation", + "data.win.eventdata.parentImage", + "data.win.eventdata.processId", + "data.win.eventdata.processName", + "data.win.eventdata.providerName", + "data.win.eventdata.returnCode", + "data.win.eventdata.service", + "data.win.eventdata.status", + "data.win.eventdata.subcategory", + "data.win.eventdata.subcategoryGuid", + "data.win.eventdata.subcategoryId", + "data.win.eventdata.subjectDomainName", + "data.win.eventdata.subjectLogonId", + "data.win.eventdata.subjectUserName", + "data.win.eventdata.subjectUserSid", + "data.win.eventdata.targetDomainName", + "data.win.eventdata.targetLinkedLogonId", + "data.win.eventdata.targetLogonId", + "data.win.eventdata.targetUserName", + "data.win.eventdata.targetUserSid", + "data.win.eventdata.workstationName", + "data.win.system.channel", + "data.win.system.computer", + "data.win.system.eventID", + "data.win.system.eventRecordID", + "data.win.system.eventSourceName", + "data.win.system.keywords", + "data.win.system.level", + "data.win.system.message", + "data.win.system.opcode", + "data.win.system.processID", + "data.win.system.providerGuid", + "data.win.system.providerName", + "data.win.system.securityUserID", + "data.win.system.severityValue", + "data.win.system.userID", + "decoder.ftscomment", + "decoder.name", + "decoder.parent", + "full_log", + "host", + "id", + "input", + "location", + "manager.name", + "message", + "offset", + "predecoder.hostname", + "predecoder.program_name", + "previous_log", + "previous_output", + "program_name", + "rule.cis", + "rule.cve", + "rule.description", + "rule.gdpr", + "rule.gpg13", + "rule.groups", + "rule.id", + "rule.info", + "rule.mitre.id", + "rule.mitre.tactic", + "rule.mitre.technique", + "rule.pci_dss", + "rule.hipaa", + "rule.nist_800_53", + "syscheck.audit.effective_user.id", + "syscheck.audit.effective_user.name", + "syscheck.audit.group.id", + "syscheck.audit.group.name", + "syscheck.audit.login_user.id", + "syscheck.audit.login_user.name", + "syscheck.audit.process.id", + "syscheck.audit.process.name", + "syscheck.audit.process.ppid", + "syscheck.audit.user.id", + "syscheck.audit.user.name", + "syscheck.diff", + "syscheck.event", + "syscheck.gid_after", + "syscheck.gid_before", + "syscheck.gname_after", + "syscheck.gname_before", + "syscheck.inode_after", + "syscheck.inode_before", + "syscheck.md5_after", + "syscheck.md5_before", + "syscheck.path", + "syscheck.mode", + "syscheck.perm_after", + "syscheck.perm_before", + "syscheck.sha1_after", + "syscheck.sha1_before", + "syscheck.sha256_after", + "syscheck.sha256_before", + "syscheck.tags", + "syscheck.uid_after", + "syscheck.uid_before", + "syscheck.uname_after", + "syscheck.uname_before", + "title", + "type" + ] + }, + "number_of_replicas": "0" + } + }, + "mappings": { + "dynamic_templates": [ + { + "string_as_keyword": { + "match_mapping_type": "string", + "mapping": { + "type": "keyword" + } + } + } + ], + "date_detection": false, + "properties": { + "@timestamp": { + "type": "date" + }, + "@version": { + "type": "text" + }, + "GeoLocation": { + "properties": { + "area_code": { + "type": "long" + }, + "city_name": { + "type": "keyword" + }, + "continent_code": { + "type": "text" + }, + "coordinates": { + "type": "double" + }, + "country_code2": { + "type": "text" + }, + "country_code3": { + "type": "text" + }, + "country_name": { + "type": "keyword" + }, + "dma_code": { + "type": "long" + }, + "ip": { + "type": "keyword" + }, + "latitude": { + "type": "double" + }, + "location": { + "type": "geo_point" + }, + "longitude": { + "type": "double" + }, + "postal_code": { + "type": "keyword" + }, + "real_region_name": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + }, + "timezone": { + "type": "text" + } + } + }, + "agent": { + "properties": { + "id": { + "type": "keyword" + }, + "ip": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "cluster": { + "properties": { + "name": { + "type": "keyword" + }, + "node": { + "type": "keyword" + } + } + }, + "command": { + "type": "keyword" + }, + "data": { + "properties": { + "action": { + "type": "keyword" + }, + "audit": { + "properties": { + "acct": { + "type": "keyword" + }, + "arch": { + "type": "keyword" + }, + "auid": { + "type": "keyword" + }, + "command": { + "type": "keyword" + }, + "cwd": { + "type": "keyword" + }, + "dev": { + "type": "keyword" + }, + "directory": { + "properties": { + "inode": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "egid": { + "type": "keyword" + }, + "enforcing": { + "type": "keyword" + }, + "euid": { + "type": "keyword" + }, + "exe": { + "type": "keyword" + }, + "execve": { + "properties": { + "a0": { + "type": "keyword" + }, + "a1": { + "type": "keyword" + }, + "a2": { + "type": "keyword" + }, + "a3": { + "type": "keyword" + } + } + }, + "exit": { + "type": "keyword" + }, + "file": { + "properties": { + "inode": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "fsgid": { + "type": "keyword" + }, + "fsuid": { + "type": "keyword" + }, + "gid": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "key": { + "type": "keyword" + }, + "list": { + "type": "keyword" + }, + "old-auid": { + "type": "keyword" + }, + "old-ses": { + "type": "keyword" + }, + "old_enforcing": { + "type": "keyword" + }, + "old_prom": { + "type": "keyword" + }, + "op": { + "type": "keyword" + }, + "pid": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + }, + "prom": { + "type": "keyword" + }, + "res": { + "type": "keyword" + }, + "session": { + "type": "keyword" + }, + "sgid": { + "type": "keyword" + }, + "srcip": { + "type": "keyword" + }, + "subj": { + "type": "keyword" + }, + "success": { + "type": "keyword" + }, + "suid": { + "type": "keyword" + }, + "syscall": { + "type": "keyword" + }, + "tty": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + } + } + }, + "aws": { + "properties": { + "accountId": { + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "createdAt": { + "type": "date" + }, + "dstaddr": { + "type": "ip" + }, + "end": { + "type": "date" + }, + "log_info": { + "properties": { + "s3bucket": { + "type": "keyword" + } + } + }, + "region": { + "type": "keyword" + }, + "resource": { + "properties": { + "instanceDetails": { + "properties": { + "launchTime": { + "type": "date" + }, + "networkInterfaces": { + "properties": { + "privateIpAddress": { + "type": "ip" + }, + "publicIp": { + "type": "ip" + } + } + } + } + } + } + }, + "service": { + "properties": { + "action": { + "properties": { + "networkConnectionAction": { + "properties": { + "remoteIpDetails": { + "properties": { + "geoLocation": { + "type": "geo_point" + }, + "ipAddressV4": { + "type": "ip" + } + } + } + } + } + } + }, + "count": { + "type": "long" + }, + "eventFirstSeen": { + "type": "date" + }, + "eventLastSeen": { + "type": "date" + } + } + }, + "source": { + "type": "keyword" + }, + "source_ip_address": { + "type": "ip" + }, + "srcaddr": { + "type": "ip" + }, + "start": { + "type": "date" + }, + "updatedAt": { + "type": "date" + } + } + }, + "cis": { + "properties": { + "benchmark": { + "type": "keyword" + }, + "error": { + "type": "long" + }, + "fail": { + "type": "long" + }, + "group": { + "type": "keyword" + }, + "notchecked": { + "type": "long" + }, + "pass": { + "type": "long" + }, + "result": { + "type": "keyword" + }, + "rule_title": { + "type": "keyword" + }, + "score": { + "type": "long" + }, + "timestamp": { + "type": "keyword" + }, + "unknown": { + "type": "long" + } + } + }, + "command": { + "type": "keyword" + }, + "data": { + "type": "keyword" + }, + "docker": { + "properties": { + "Action": { + "type": "keyword" + }, + "Actor": { + "properties": { + "Attributes": { + "properties": { + "image": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "Type": { + "type": "keyword" + } + } + }, + "dstip": { + "type": "keyword" + }, + "dstport": { + "type": "keyword" + }, + "dstuser": { + "type": "keyword" + }, + "extra_data": { + "type": "keyword" + }, + "gcp": { + "properties": { + "jsonPayload": { + "properties": { + "authAnswer": { + "type": "keyword" + }, + "queryName": { + "type": "keyword" + }, + "responseCode": { + "type": "keyword" + }, + "vmInstanceId": { + "type": "keyword" + }, + "vmInstanceName": { + "type": "keyword" + } + } + }, + "resource": { + "properties": { + "labels": { + "properties": { + "location": { + "type": "keyword" + }, + "project_id": { + "type": "keyword" + }, + "source_type": { + "type": "keyword" + } + } + }, + "type": { + "type": "keyword" + } + } + }, + "severity": { + "type": "keyword" + } + } + }, + "github": { + "properties": { + "action": { + "type": "keyword" + }, + "actor": { + "type": "keyword" + }, + "actor_location": { + "properties": { + "country_code": { + "type": "keyword" + } + } + }, + "org": { + "type": "keyword" + }, + "repo": { + "type": "keyword" + } + } + }, + "hardware": { + "properties": { + "cpu_cores": { + "type": "long" + }, + "cpu_mhz": { + "type": "double" + }, + "cpu_name": { + "type": "keyword" + }, + "ram_free": { + "type": "long" + }, + "ram_total": { + "type": "long" + }, + "ram_usage": { + "type": "long" + }, + "serial": { + "type": "keyword" + } + } + }, + "id": { + "type": "keyword" + }, + "integration": { + "type": "keyword" + }, + "netinfo": { + "properties": { + "iface": { + "properties": { + "adapter": { + "type": "keyword" + }, + "ipv4": { + "properties": { + "address": { + "type": "keyword" + }, + "broadcast": { + "type": "keyword" + }, + "dhcp": { + "type": "keyword" + }, + "gateway": { + "type": "keyword" + }, + "metric": { + "type": "long" + }, + "netmask": { + "type": "keyword" + } + } + }, + "ipv6": { + "properties": { + "address": { + "type": "keyword" + }, + "broadcast": { + "type": "keyword" + }, + "dhcp": { + "type": "keyword" + }, + "gateway": { + "type": "keyword" + }, + "metric": { + "type": "long" + }, + "netmask": { + "type": "keyword" + } + } + }, + "mac": { + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "type": "keyword" + }, + "rx_bytes": { + "type": "long" + }, + "rx_dropped": { + "type": "long" + }, + "rx_errors": { + "type": "long" + }, + "rx_packets": { + "type": "long" + }, + "state": { + "type": "keyword" + }, + "tx_bytes": { + "type": "long" + }, + "tx_dropped": { + "type": "long" + }, + "tx_errors": { + "type": "long" + }, + "tx_packets": { + "type": "long" + }, + "type": { + "type": "keyword" + } + } + } + } + }, + "office365": { + "properties": { + "Actor": { + "properties": { + "ID": { + "type": "keyword" + } + } + }, + "ClientIP": { + "type": "keyword" + }, + "Operation": { + "type": "keyword" + }, + "ResultStatus": { + "type": "keyword" + }, + "Subscription": { + "type": "keyword" + }, + "UserId": { + "type": "keyword" + } + } + }, + "os": { + "properties": { + "architecture": { + "type": "keyword" + }, + "build": { + "type": "keyword" + }, + "codename": { + "type": "keyword" + }, + "display_version": { + "type": "keyword" + }, + "hostname": { + "type": "keyword" + }, + "major": { + "type": "keyword" + }, + "minor": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "patch": { + "type": "keyword" + }, + "platform": { + "type": "keyword" + }, + "release": { + "type": "keyword" + }, + "release_version": { + "type": "keyword" + }, + "sysname": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "oscap": { + "properties": { + "check": { + "properties": { + "description": { + "type": "text" + }, + "id": { + "type": "keyword" + }, + "identifiers": { + "type": "text" + }, + "oval": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "rationale": { + "type": "text" + }, + "references": { + "type": "text" + }, + "result": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "scan": { + "properties": { + "benchmark": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "content": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "profile": { + "properties": { + "id": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "return_code": { + "type": "long" + }, + "score": { + "type": "double" + } + } + } + } + }, + "osquery": { + "properties": { + "action": { + "type": "keyword" + }, + "calendarTime": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "pack": { + "type": "keyword" + } + } + }, + "port": { + "properties": { + "inode": { + "type": "long" + }, + "local_ip": { + "type": "ip" + }, + "local_port": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "process": { + "type": "keyword" + }, + "protocol": { + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "remote_port": { + "type": "long" + }, + "rx_queue": { + "type": "long" + }, + "state": { + "type": "keyword" + }, + "tx_queue": { + "type": "long" + } + } + }, + "process": { + "properties": { + "args": { + "type": "keyword" + }, + "cmd": { + "type": "keyword" + }, + "egroup": { + "type": "keyword" + }, + "euser": { + "type": "keyword" + }, + "fgroup": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "nice": { + "type": "long" + }, + "nlwp": { + "type": "long" + }, + "pgrp": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "priority": { + "type": "long" + }, + "processor": { + "type": "long" + }, + "resident": { + "type": "long" + }, + "rgroup": { + "type": "keyword" + }, + "ruser": { + "type": "keyword" + }, + "session": { + "type": "long" + }, + "sgroup": { + "type": "keyword" + }, + "share": { + "type": "long" + }, + "size": { + "type": "long" + }, + "start_time": { + "type": "long" + }, + "state": { + "type": "keyword" + }, + "stime": { + "type": "long" + }, + "suser": { + "type": "keyword" + }, + "tgid": { + "type": "long" + }, + "tty": { + "type": "long" + }, + "utime": { + "type": "long" + }, + "vm_size": { + "type": "long" + } + } + }, + "program": { + "properties": { + "architecture": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "format": { + "type": "keyword" + }, + "install_time": { + "type": "keyword" + }, + "location": { + "type": "keyword" + }, + "multiarch": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "priority": { + "type": "keyword" + }, + "section": { + "type": "keyword" + }, + "size": { + "type": "long" + }, + "source": { + "type": "keyword" + }, + "vendor": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "protocol": { + "type": "keyword" + }, + "sca": { + "properties": { + "check": { + "properties": { + "compliance": { + "properties": { + "cis": { + "type": "keyword" + }, + "cis_csc": { + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "nist_800_53": { + "type": "keyword" + }, + "pci_dss": { + "type": "keyword" + } + } + }, + "description": { + "type": "keyword" + }, + "directory": { + "type": "keyword" + }, + "file": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "previous_result": { + "type": "keyword" + }, + "process": { + "type": "keyword" + }, + "rationale": { + "type": "keyword" + }, + "reason": { + "type": "keyword" + }, + "references": { + "type": "keyword" + }, + "registry": { + "type": "keyword" + }, + "remediation": { + "type": "keyword" + }, + "result": { + "type": "keyword" + }, + "title": { + "type": "keyword" + } + } + }, + "description": { + "type": "keyword" + }, + "failed": { + "type": "integer" + }, + "file": { + "type": "keyword" + }, + "invalid": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "passed": { + "type": "integer" + }, + "policy": { + "type": "keyword" + }, + "policy_id": { + "type": "keyword" + }, + "scan_id": { + "type": "keyword" + }, + "score": { + "type": "long" + }, + "total_checks": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "srcip": { + "type": "keyword" + }, + "srcport": { + "type": "keyword" + }, + "srcuser": { + "type": "keyword" + }, + "status": { + "type": "keyword" + }, + "system_name": { + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "title": { + "type": "keyword" + }, + "type": { + "type": "keyword" + }, + "uid": { + "type": "keyword" + }, + "url": { + "type": "keyword" + }, + "virustotal": { + "properties": { + "description": { + "type": "keyword" + }, + "error": { + "type": "keyword" + }, + "found": { + "type": "keyword" + }, + "malicious": { + "type": "keyword" + }, + "permalink": { + "type": "keyword" + }, + "positives": { + "type": "keyword" + }, + "scan_date": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + }, + "source": { + "properties": { + "alert_id": { + "type": "keyword" + }, + "file": { + "type": "keyword" + }, + "md5": { + "type": "keyword" + }, + "sha1": { + "type": "keyword" + } + } + }, + "total": { + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "assigner": { + "type": "keyword" + }, + "cve": { + "type": "keyword" + }, + "cve_version": { + "type": "keyword" + }, + "cvss": { + "properties": { + "cvss2": { + "properties": { + "base_score": { + "type": "keyword" + }, + "exploitability_score": { + "type": "keyword" + }, + "impact_score": { + "type": "keyword" + }, + "vector": { + "properties": { + "access_complexity": { + "type": "keyword" + }, + "attack_vector": { + "type": "keyword" + }, + "authentication": { + "type": "keyword" + }, + "availability": { + "type": "keyword" + }, + "confidentiality_impact": { + "type": "keyword" + }, + "integrity_impact": { + "type": "keyword" + }, + "privileges_required": { + "type": "keyword" + }, + "scope": { + "type": "keyword" + }, + "user_interaction": { + "type": "keyword" + } + } + } + } + }, + "cvss3": { + "properties": { + "base_score": { + "type": "keyword" + }, + "exploitability_score": { + "type": "keyword" + }, + "impact_score": { + "type": "keyword" + }, + "vector": { + "properties": { + "access_complexity": { + "type": "keyword" + }, + "attack_vector": { + "type": "keyword" + }, + "authentication": { + "type": "keyword" + }, + "availability": { + "type": "keyword" + }, + "confidentiality_impact": { + "type": "keyword" + }, + "integrity_impact": { + "type": "keyword" + }, + "privileges_required": { + "type": "keyword" + }, + "scope": { + "type": "keyword" + }, + "user_interaction": { + "type": "keyword" + } + } + } + } + } + } + }, + "cwe_reference": { + "type": "keyword" + }, + "package": { + "properties": { + "architecture": { + "type": "keyword" + }, + "condition": { + "type": "keyword" + }, + "generated_cpe": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "source": { + "type": "keyword" + }, + "version": { + "type": "keyword" + } + } + }, + "published": { + "type": "date" + }, + "rationale": { + "type": "keyword" + }, + "severity": { + "type": "keyword" + }, + "title": { + "type": "keyword" + }, + "updated": { + "type": "date" + } + } + } + } + }, + "decoder": { + "properties": { + "accumulate": { + "type": "long" + }, + "fts": { + "type": "long" + }, + "ftscomment": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "parent": { + "type": "keyword" + } + } + }, + "full_log": { + "type": "text" + }, + "host": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "input": { + "properties": { + "type": { + "type": "keyword" + } + } + }, + "location": { + "type": "keyword" + }, + "manager": { + "properties": { + "name": { + "type": "keyword" + } + } + }, + "message": { + "type": "text" + }, + "offset": { + "type": "keyword" + }, + "predecoder": { + "properties": { + "hostname": { + "type": "keyword" + }, + "program_name": { + "type": "keyword" + }, + "timestamp": { + "type": "keyword" + } + } + }, + "previous_log": { + "type": "text" + }, + "previous_output": { + "type": "keyword" + }, + "program_name": { + "type": "keyword" + }, + "rule": { + "properties": { + "cis": { + "type": "keyword" + }, + "cve": { + "type": "keyword" + }, + "description": { + "type": "keyword" + }, + "firedtimes": { + "type": "long" + }, + "frequency": { + "type": "long" + }, + "gdpr": { + "type": "keyword" + }, + "gpg13": { + "type": "keyword" + }, + "groups": { + "type": "keyword" + }, + "hipaa": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "info": { + "type": "keyword" + }, + "level": { + "type": "long" + }, + "mail": { + "type": "boolean" + }, + "mitre": { + "properties": { + "id": { + "type": "keyword" + }, + "tactic": { + "type": "keyword" + }, + "technique": { + "type": "keyword" + } + } + }, + "nist_800_53": { + "type": "keyword" + }, + "pci_dss": { + "type": "keyword" + }, + "tsc": { + "type": "keyword" + } + } + }, + "syscheck": { + "properties": { + "audit": { + "properties": { + "effective_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "group": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "login_user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + }, + "process": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "ppid": { + "type": "keyword" + } + } + }, + "user": { + "properties": { + "id": { + "type": "keyword" + }, + "name": { + "type": "keyword" + } + } + } + } + }, + "diff": { + "type": "keyword" + }, + "event": { + "type": "keyword" + }, + "gid_after": { + "type": "keyword" + }, + "gid_before": { + "type": "keyword" + }, + "gname_after": { + "type": "keyword" + }, + "gname_before": { + "type": "keyword" + }, + "hard_links": { + "type": "keyword" + }, + "inode_after": { + "type": "keyword" + }, + "inode_before": { + "type": "keyword" + }, + "md5_after": { + "type": "keyword" + }, + "md5_before": { + "type": "keyword" + }, + "mode": { + "type": "keyword" + }, + "mtime_after": { + "type": "date", + "format": "date_optional_time" + }, + "mtime_before": { + "type": "date", + "format": "date_optional_time" + }, + "path": { + "type": "keyword" + }, + "perm_after": { + "type": "keyword" + }, + "perm_before": { + "type": "keyword" + }, + "sha1_after": { + "type": "keyword" + }, + "sha1_before": { + "type": "keyword" + }, + "sha256_after": { + "type": "keyword" + }, + "sha256_before": { + "type": "keyword" + }, + "size_after": { + "type": "long" + }, + "size_before": { + "type": "long" + }, + "tags": { + "type": "keyword" + }, + "uid_after": { + "type": "keyword" + }, + "uid_before": { + "type": "keyword" + }, + "uname_after": { + "type": "keyword" + }, + "uname_before": { + "type": "keyword" + } + } + }, + "timestamp": { + "type": "date", + "format": "date_optional_time||epoch_millis" + }, + "title": { + "type": "keyword" + }, + "type": { + "type": "text" + } + } + }, + "aliases": {} + }, + "version": 1 +} diff --git a/integrations/opensearch/opensearch.yml b/integrations/opensearch/opensearch.yml new file mode 100644 index 0000000000000..442c0b707f2ec --- /dev/null +++ b/integrations/opensearch/opensearch.yml @@ -0,0 +1,39 @@ +network.host: "0.0.0.0" +node.name: "opensearch" +compatibility.override_main_response_version: true +plugins.security.ssl.http.pemcert_filepath: /usr/share/opensearch/config/certs/opensearch.pem +plugins.security.ssl.http.pemkey_filepath: /usr/share/opensearch/config/certs/opensearch.key +plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/opensearch/config/certs/root-ca.pem +plugins.security.ssl.transport.pemcert_filepath: /usr/share/opensearch/config/certs/opensearch.pem +plugins.security.ssl.transport.pemkey_filepath: /usr/share/opensearch/config/certs/opensearch.key +plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/opensearch/config/certs/root-ca.pem +plugins.security.ssl.http.enabled: true +plugins.security.ssl.transport.enforce_hostname_verification: false +plugins.security.ssl.transport.resolve_hostname: false +plugins.security.authcz.admin_dn: + - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.check_snapshot_restore_write_privileges: true +plugins.security.enable_snapshot_restore_privilege: true +plugins.security.nodes_dn: + - "CN=opensearch.node,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.restapi.roles_enabled: + - "all_access" + - "security_rest_api_access" +plugins.security.system_indices.enabled: true +plugins.security.system_indices.indices: + [ + ".opendistro-alerting-config", + ".opendistro-alerting-alert*", + ".opendistro-anomaly-results*", + ".opendistro-anomaly-detector*", + ".opendistro-anomaly-checkpoints", + ".opendistro-anomaly-detection-state", + ".opendistro-reports-*", + ".opendistro-notifications-*", + ".opendistro-notebooks", + ".opensearch-observability", + ".opendistro-asynchronous-search-response*", + ".replication-metadata-store", + ] +plugins.security.allow_default_init_securityindex: true +cluster.routing.allocation.disk.threshold_enabled: false diff --git a/integrations/opensearch/opensearch_dashboards.yml b/integrations/opensearch/opensearch_dashboards.yml new file mode 100644 index 0000000000000..316ebabcf1179 --- /dev/null +++ b/integrations/opensearch/opensearch_dashboards.yml @@ -0,0 +1,21 @@ +server.host: 0.0.0.0 +server.port: 5601 +opensearch.hosts: https://opensearch.node:9200 +opensearch.ssl.verificationMode: certificate +#osd 1.2.4 +# opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"] +# +# osd 2.0 +opensearch.requestHeadersAllowlist: ["securitytenant", "Authorization"] +# +opensearch_security.multitenancy.enabled: false +opensearch_security.readonly_mode.roles: ["kibana_read_only"] +server.ssl.enabled: true +server.ssl.key: "/usr/share/opensearch-dashboards/config/certs/opensearch.key" +server.ssl.certificate: "/usr/share/opensearch-dashboards/config/certs/opensearch.pem" +opensearch.ssl.certificateAuthorities: + ["/usr/share/opensearch-dashboards/config/certs/root-ca.pem"] +opensearch.username: "kibanaserver" +opensearch.password: "kibanaserver" +opensearchDashboards.branding: + useExpandedHeader: false diff --git a/integrations/splunk/README.md b/integrations/splunk/README.md new file mode 100644 index 0000000000000..1e8be6a1e2996 --- /dev/null +++ b/integrations/splunk/README.md @@ -0,0 +1,57 @@ +# Wazuh to Splunk Integration Developer Guide + +This document describes how to prepare a Docker Compose environment to test the integration between Wazuh and Splunk. For a detailed guide on how to integrate Wazuh with Splunk, please refer to the [Wazuh documentation](https://documentation.wazuh.com/current/integrations-guide/splunk/index.html). + +## Requirements + +- Docker and Docker Compose installed. + +## Usage + +1. Clone the Wazuh repository and navigate to the `integrations/` folder. +2. Run the following command to start the environment: + ```bash + docker compose -f ./docker/compose.indexer-splunk.yml up -d + ``` +3. If you prefer, you can start the integration with the Wazuh Manager as data source: + ```bash + docker compose -f ./docker/compose.manager-splunk.yml up -d + ``` + +The Docker Compose project will bring up the following services: + +- 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)). +- 1x Wazuh Indexer (OpenSearch). +- 1x Logstash +- 1x Splunk +- 1x Wazuh Manager (optional). + +For custom configurations, you may need to modify these files: + +- [docker/compose.indexer-splunk.yml](../docker/compose.indexer-splunk.yml): Docker Compose file. +- [docker/.env](../docker/.env): Environment variables file. +- [splunk/logstash/pipeline/indexer-to-splunk.conf](./logstash/pipeline/indexer-to-splunk.conf): Logstash Pipeline configuration file. + +If you opted to start the integration with the Wazuh Manager, you can modify the following files: + +- [docker/compose.manager-splunk.yml](../docker/compose.manager-splunk.yml): Docker Compose file. +- [splunk/logstash/pipeline/manager-to-splunk.conf](./logstash/pipeline/manager-to-splunk.conf): Logstash Pipeline configuration file. + +Check the files above for **credentials**, ports, and other configurations. + +| Service | Address | Credentials | +| ------------- | ---------------------- | ------------------- | +| Wazuh Indexer | https://localhost:9200 | admin:admin | +| Splunk | https://localhost:8000 | admin:Password.1234 | + +## Importing the dashboards + +The dashboards for Splunk are included in this folder. The steps to import them to Splunk are the following: + +- In the Splunk UI, go to `Settings` > `Data Inputs` > `HTTP Event Collector` and make sure that the `hec` token is enabled and uses the `wazuh-alerts` index. +- Open a dashboard file and copy all its content. +- In the Splunk UI, navigate to `Search & Reporting`, `Dashboards`, click `Create New Dashboard`, write the title and select `Dashboard Studio`, select `Grid` and click on `Create`. +- On the top menu, there is a `Source` icon. Click on it, and replace all the content with the copied content from the dashboard file. After that, click on `Back` and click on `Save`. +- Repeat the steps for all the desired dashboards. + +Imported dashboards will appear under `Search & Reporting` > `Dashboards`. diff --git a/integrations/splunk/cfssl/ca.json b/integrations/splunk/cfssl/ca.json new file mode 100644 index 0000000000000..8a96a70a42c42 --- /dev/null +++ b/integrations/splunk/cfssl/ca.json @@ -0,0 +1,15 @@ +{ + "CN": "Wazuh", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "San Francisco", + "O": "Wazuh", + "OU": "Wazuh Root CA" + } + ] +} diff --git a/integrations/splunk/cfssl/cfssl.json b/integrations/splunk/cfssl/cfssl.json new file mode 100644 index 0000000000000..d23daf762100e --- /dev/null +++ b/integrations/splunk/cfssl/cfssl.json @@ -0,0 +1,58 @@ +{ + "signing": { + "default": { + "expiry": "8760h" + }, + "profiles": { + "intermediate_ca": { + "usages": [ + "signing", + "digital signature", + "key encipherment", + "cert sign", + "crl sign", + "server auth", + "client auth" + ], + "expiry": "8760h", + "ca_constraint": { + "is_ca": true, + "max_path_len": 0, + "max_path_len_zero": true + } + }, + "peer": { + "usages": [ + "signing", + "digital signature", + "key encipherment", + "data encipherment", + "client auth", + "server auth" + ], + "expiry": "8760h" + }, + "server": { + "usages": [ + "signing", + "digital signing", + "key encipherment", + "data encipherment", + "server auth" + ], + "expiry": "8760h" + }, + "client": { + "usages": [ + "signing", + "digital signature", + "key encipherment", + "data encipherment", + "client auth" + ], + "expiry": "8760h" + } + } + } +} + diff --git a/integrations/splunk/cfssl/host.json b/integrations/splunk/cfssl/host.json new file mode 100644 index 0000000000000..e1d3cd064b842 --- /dev/null +++ b/integrations/splunk/cfssl/host.json @@ -0,0 +1,19 @@ +{ + "CN": "splunk", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "C": "US", + "L": "California", + "O": "Wazuh", + "OU": "Wazuh" + } + ], + "hosts": [ + "splunk", + "localhost" + ] +} diff --git a/integrations/splunk/config/default.yml b/integrations/splunk/config/default.yml new file mode 100644 index 0000000000000..e9e0637d69a60 --- /dev/null +++ b/integrations/splunk/config/default.yml @@ -0,0 +1,25 @@ +splunk: + conf: + - key: web + value: + directory: /opt/splunk/etc/system/local + content: + settings: + enablesSplunkWebSSL: true + privKeyPath: /opt/splunk/etc/auth/custom/splunk.key + serverCert: /opt/splunk/etc/auth/custom/splunk.pem + - key: server + value: + directory: /opt/splunk/etc/system/local + content: + general: + serverName: splunk + pass4SymmKey: dadqaBZA2fzxHOvfdlSQpKjIooupehTnmjysUx7j+bP1/NucBL+rch/Kw== + sslConfig: + serverCert: /opt/splunk/etc/auth/custom/splunkhec.pem + hec: + enable: True + ssl: True + port: 8088 + # hec.token is used only for ingestion (receiving Splunk events) + token: abcd1234 diff --git a/integrations/splunk/config/indexes.conf b/integrations/splunk/config/indexes.conf new file mode 100644 index 0000000000000..81fe23e9e9515 --- /dev/null +++ b/integrations/splunk/config/indexes.conf @@ -0,0 +1,11 @@ +[default] +[wazuh-alerts] +coldPath = $SPLUNK_DB/wazuh/colddb +enableDataIntegrityControl = 1 +enableTsidxReduction = 1 +homePath = $SPLUNK_DB/wazuh/db +maxTotalDataSizeMB = 512000 +thawedPath = $SPLUNK_DB/wazuh/thaweddb +timePeriodInSecBeforeTsidxReduction = 15552000 +tsidxReductionCheckPeriodInSec = + diff --git a/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf b/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf new file mode 100644 index 0000000000000..fe6042f4c4e0c --- /dev/null +++ b/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf @@ -0,0 +1,31 @@ +input { + opensearch { + hosts => ["wazuh.indexer:9200"] + user => "${INDEXER_USERNAME}" + password => "${INDEXER_PASSWORD}" + ssl => true + ca_file => "/usr/share/logstash/root-ca.pem" + index => "wazuh-alerts-4.x-*" + query => '{ + "query": { + "range": { + "@timestamp": { + "gt": "now-1m" + } + } + } + }' + schedule => "* * * * *" + } +} + + +output { + http { + format => "json" + http_method => "post" + url => "https://splunk:8088/services/collector/raw" + headers => ["Authorization", "Splunk abcd1234"] + cacert => "/usr/share/logstash/root-ca.pem" + } +} diff --git a/integrations/splunk/logstash/setup.sh b/integrations/splunk/logstash/setup.sh new file mode 100644 index 0000000000000..4852d27efd5e1 --- /dev/null +++ b/integrations/splunk/logstash/setup.sh @@ -0,0 +1,10 @@ +#!/usr/bin/bash + +# This script creates and configures a keystore for Logstash to store +# indexer's credentials. NOTE: works only for dockerized logstash. +# Source: https://www.elastic.co/guide/en/logstash/current/keystore.html + +# Create keystore +/usr/share/logstash/bin/logstash-keystore create +echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME +echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD diff --git a/integrations/splunk/wazuh-amazon-aws b/integrations/splunk/wazuh-amazon-aws new file mode 100644 index 0000000000000..c2d4db71d0bce --- /dev/null +++ b/integrations/splunk/wazuh-amazon-aws @@ -0,0 +1,132 @@ +{ + "visualizations": { + "viz_lTJLU7ar": { + "type": "splunk.area", + "options": { + "stackMode": "stacked", + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count", + "legendDisplay": "left" + }, + "dataSources": { + "primary": "ds_BHh1kZmb" + }, + "title": "Events by source over time" + }, + "viz_l5qazB46": { + "type": "splunk.pie", + "options": { + "showDonutHole": true + }, + "dataSources": { + "primary": "ds_Y2J0psR4" + }, + "title": "Sources" + }, + "viz_1JzeNwnq": { + "type": "splunk.table", + "title": "Events", + "dataSources": { + "primary": "ds_K2y81pak" + } + } + }, + "dataSources": { + "ds_BHh1kZmb": { + "type": "ds.search", + "options": { + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + }, + "query": "index=\"wazuh-alerts\" \"data.aws.source\"=\"*\" | timechart count by \"data.aws.source\"" + }, + "name": "Search_1" + }, + "ds_Y2J0psR4": { + "type": "ds.search", + "options": { + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + }, + "query": "index=\"wazuh-alerts\" \"data.aws.source\"=\"*\" | chart count by \"data.aws.source\"" + }, + "name": "Search_2" + }, + "ds_K2y81pak": { + "type": "ds.search", + "options": { + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + }, + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"data.aws.source\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, data.aws.source, rule.description, rule.level, rule.id" + }, + "name": "Search_3" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now" + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_lTJLU7ar", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 795, + "h": 334 + } + }, + { + "item": "viz_1JzeNwnq", + "type": "block", + "position": { + "x": 0, + "y": 334, + "w": 1200, + "h": 358 + } + }, + { + "item": "viz_l5qazB46", + "type": "block", + "position": { + "x": 795, + "y": 0, + "w": 405, + "h": 334 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-amazon-aws-v1.0" +} diff --git a/integrations/splunk/wazuh-docker-listener b/integrations/splunk/wazuh-docker-listener new file mode 100644 index 0000000000000..756d9145b8875 --- /dev/null +++ b/integrations/splunk/wazuh-docker-listener @@ -0,0 +1,130 @@ +{ + "visualizations": { + "viz_OcJb59wC": { + "type": "splunk.pie", + "options": { + "showDonutHole": true + }, + "dataSources": { + "primary": "ds_5TEzCbIf" + }, + "title": "Top 5 events" + }, + "viz_bQPbbrvw": { + "type": "splunk.column", + "title": "Events by source over time", + "dataSources": { + "primary": "ds_l6nQN96B" + }, + "options": { + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + } + }, + "viz_7GGKwL33": { + "type": "splunk.table", + "dataSources": { + "primary": "ds_gW45zmr5" + }, + "title": "Events" + } + }, + "dataSources": { + "ds_5TEzCbIf": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | top limit=5 data.docker.Action | chart count by data.docker.Action", + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + } + }, + "name": "Search_1" + }, + "ds_l6nQN96B": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | timechart count by data.docker.Type useother=false usenull=false\n", + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + } + }, + "name": "Search_2" + }, + "ds_gW45zmr5": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"data.docker.Type\"=\"*\", \"data.docker.Actor.ID\"=\"*\", \"data.docker.Action\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, data.docker.Type, data.docker.Actor.ID, data.docker.Action, rule.description, rule.level, rule.id", + "queryParameters": { + "earliest": "$global_time.earliest$", + "latest": "$global_time.latest$" + } + }, + "name": "Search_3" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-24h@h,now" + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_OcJb59wC", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 415, + "h": 316 + } + }, + { + "item": "viz_7GGKwL33", + "type": "block", + "position": { + "x": 0, + "y": 316, + "w": 1200, + "h": 378 + } + }, + { + "item": "viz_bQPbbrvw", + "type": "block", + "position": { + "x": 415, + "y": 0, + "w": 785, + "h": 316 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-docker-listener-v1.0" +} diff --git a/integrations/splunk/wazuh-incident-response b/integrations/splunk/wazuh-incident-response new file mode 100644 index 0000000000000..247cec3303b01 --- /dev/null +++ b/integrations/splunk/wazuh-incident-response @@ -0,0 +1,131 @@ +{ + "visualizations": { + "viz_bRMOrrNo": { + "type": "splunk.pie", + "options": { + "showDonutHole": true + }, + "dataSources": { + "primary": "ds_T5OG9qjO" + }, + "title": "Alert groups" + }, + "viz_iOvmhhgU": { + "type": "splunk.table", + "options": {}, + "dataSources": { + "primary": "ds_tnYl87gQ" + } + }, + "viz_P0bNNVfw": { + "type": "splunk.column", + "options": { + "stackMode": "stacked", + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + }, + "dataSources": { + "primary": "ds_GccX6Lrj" + }, + "title": "Events" + } + }, + "dataSources": { + "ds_T5OG9qjO": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"*\" | top limit=5 \"rule.groups{}\" | chart count by \"rule.groups{}\" useother=false usenull=false", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_1" + }, + "ds_tnYl87gQ": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"rule.groups{}\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, rule.groups{}, rule.description, rule.level, rule.id", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_2" + }, + "ds_GccX6Lrj": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"audit\" | timechart count by \"rule.groups{}\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_3" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now" + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_bRMOrrNo", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 388, + "h": 292 + } + }, + { + "item": "viz_iOvmhhgU", + "type": "block", + "position": { + "x": 0, + "y": 292, + "w": 1200, + "h": 399 + } + }, + { + "item": "viz_P0bNNVfw", + "type": "block", + "position": { + "x": 388, + "y": 0, + "w": 812, + "h": 292 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-incident-response-v1.0" +} diff --git a/integrations/splunk/wazuh-malware-detection b/integrations/splunk/wazuh-malware-detection new file mode 100644 index 0000000000000..70c825efabb01 --- /dev/null +++ b/integrations/splunk/wazuh-malware-detection @@ -0,0 +1,132 @@ +{ + "visualizations": { + "viz_Q5GQT6h2": { + "type": "splunk.area", + "dataSources": { + "primary": "ds_N3cdEic4" + }, + "options": { + "stackMode": "stacked", + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + }, + "title": "Emotet malware activity" + }, + "viz_U8vFKyUp": { + "type": "splunk.table", + "dataSources": { + "primary": "ds_f5AJxLS5" + }, + "title": "Security alerts" + }, + "viz_uLQLGVbg": { + "type": "splunk.line", + "options": { + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + }, + "dataSources": { + "primary": "ds_IcWLWjPn" + }, + "title": "Rootkits activity over time" + } + }, + "dataSources": { + "ds_N3cdEic4": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"rootcheck\" | timechart count by \"rule.groups{}\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_1" + }, + "ds_f5AJxLS5": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.mitre.technique{}\"=\"*\", \"rule.mitre.tactic{}\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\", \"rule.description\"=\"*\" | table _time, agent.name, rule.mitre.technique{}, rule.mitre.tactic{}, rule.level, rule.id, rule.description\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_2" + }, + "ds_IcWLWjPn": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | timechart count by data.title useother=false usenull=false\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_3" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now" + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_Q5GQT6h2", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 458, + "h": 293 + } + }, + { + "item": "viz_U8vFKyUp", + "type": "block", + "position": { + "x": 0, + "y": 293, + "w": 1200, + "h": 381 + } + }, + { + "item": "viz_uLQLGVbg", + "type": "block", + "position": { + "x": 458, + "y": 0, + "w": 742, + "h": 293 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-malware-detection-v1.0" +} diff --git a/integrations/splunk/wazuh-pci-dss b/integrations/splunk/wazuh-pci-dss new file mode 100644 index 0000000000000..84748831a9790 --- /dev/null +++ b/integrations/splunk/wazuh-pci-dss @@ -0,0 +1,132 @@ +{ + "visualizations": { + "viz_9NIbkgTo": { + "type": "splunk.bubble", + "options": { + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + }, + "dataSources": { + "primary": "ds_g3vSgFS7" + }, + "title": "PCI DSS requirements" + }, + "viz_Z6CAbCjJ": { + "type": "splunk.column", + "options": { + "stackMode": "stacked", + "yAxisTitleText": "count", + "xAxisTitleText": "requirements" + }, + "dataSources": { + "primary": "ds_lljKZIBi" + }, + "title": "Requirements by agent" + }, + "viz_AtTGNj0f": { + "type": "splunk.table", + "dataSources": { + "primary": "ds_9ABDZ4aq" + }, + "title": "Recent events" + } + }, + "dataSources": { + "ds_g3vSgFS7": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.pci_dss{}\"=\"*\" | timechart count by \"rule.pci_dss{}\"\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_1" + }, + "ds_lljKZIBi": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\" | chart count by \"rule.pci_dss{}\", \"agent.name\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_2" + }, + "ds_9ABDZ4aq": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"rule.pci_dss{}\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, rule.pci_dss{}, rule.description, rule.level, rule.id", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_3" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now" + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_9NIbkgTo", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 629, + "h": 400 + } + }, + { + "item": "viz_AtTGNj0f", + "type": "block", + "position": { + "x": 0, + "y": 400, + "w": 1200, + "h": 291 + } + }, + { + "item": "viz_Z6CAbCjJ", + "type": "block", + "position": { + "x": 629, + "y": 0, + "w": 571, + "h": 400 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-pci-dss-v1.0" +} diff --git a/integrations/splunk/wazuh-security-events b/integrations/splunk/wazuh-security-events new file mode 100644 index 0000000000000..c64fa191bed88 --- /dev/null +++ b/integrations/splunk/wazuh-security-events @@ -0,0 +1,292 @@ +{ + "visualizations": { + "viz_oAPKLE0R": { + "type": "splunk.column", + "options": { + "xAxisTitleText": "timestamp", + "yAxisTitleText": "Count", + "stackMode": "stacked" + }, + "dataSources": { + "primary": "ds_TdanKF0I" + }, + "showProgressBar": false, + "showLastUpdated": false, + "title": "Alerts evolution - Top 5 agents", + "description": "" + }, + "viz_Y07WmZ1b": { + "type": "splunk.table", + "dataSources": { + "primary": "ds_ut2DiVW9" + }, + "title": "Security alerts", + "description": "" + }, + "viz_DI7fpctI": { + "type": "splunk.pie", + "dataSources": { + "primary": "ds_EmDJmxMO" + }, + "showProgressBar": false, + "showLastUpdated": false, + "title": "Top Mitre ATT&K tactics" + }, + "viz_qYCIuSjF": { + "type": "splunk.singlevalueradial", + "options": { + "majorColor": "#0258a1", + "trendColor": "#000000" + }, + "dataSources": { + "primary": "ds_d9cN1Qn9" + }, + "title": "Total" + }, + "viz_aTlMnG7A": { + "type": "splunk.singlevalueradial", + "options": { + "majorColor": "#db566f" + }, + "dataSources": { + "primary": "ds_ZPT4uVoe" + }, + "title": "Level 12 or above alerts" + }, + "viz_R8LMR6U6": { + "type": "splunk.singlevalueradial", + "options": { + "majorColor": "#bf0561" + }, + "dataSources": { + "primary": "ds_d8m0U7Ph" + }, + "title": "Authentication failure" + }, + "viz_nDMI4ZGW": { + "type": "splunk.singlevalueradial", + "options": { + "majorColor": "#007d73" + }, + "dataSources": { + "primary": "ds_7FDRhb5m" + }, + "title": "Authentication success" + } + }, + "dataSources": { + "ds_TdanKF0I": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | timechart count by agent.name\n\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_1" + }, + "ds_ut2DiVW9": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.mitre.id{}\"=\"*\" | table _time, agent.name, rule.mitre.id{}, rule.mitre.tactic{}, rule.description, rule.level, rule.id\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_2" + }, + "ds_EmDJmxMO": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | top limit=5 agent.name | chart count by agent.name\n", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_3" + }, + "ds_5QIbKzqF": { + "type": "ds.search", + "options": { + "query": "wazuh-alerts-4.x-sample | chart count by rule.groups", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_4" + }, + "ds_d9cN1Qn9": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | stats count", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_5" + }, + "ds_ZPT4uVoe": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" rule.level>=12 | stats count", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_6" + }, + "ds_d8m0U7Ph": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"authentication_failed\" OR \"rule.groups{}\"=\"win_authentication_failed\" OR \"rule.groups{}\"=\"authentication_failures\" | stats count", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_7" + }, + "ds_7FDRhb5m": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=authentication_success | stats count", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_8" + }, + "ds_UIfFJptm": { + "type": "ds.search", + "options": { + "query": "wazuh-alerts-4.x-sample | stats count", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_9" + }, + "ds_z3i8WcOf": { + "type": "ds.search", + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + }, + "query": "wazuh-alerts-4.x-sample rule.groups=\"authentication_failures\" | stats count by rule.groups" + }, + "name": "Search_10" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now" + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_qYCIuSjF", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 291, + "h": 137 + } + }, + { + "item": "viz_oAPKLE0R", + "type": "block", + "position": { + "x": 0, + "y": 137, + "w": 731, + "h": 326 + } + }, + { + "item": "viz_Y07WmZ1b", + "type": "block", + "position": { + "x": 0, + "y": 463, + "w": 1200, + "h": 400 + } + }, + { + "item": "viz_aTlMnG7A", + "type": "block", + "position": { + "x": 291, + "y": 0, + "w": 286, + "h": 137 + } + }, + { + "item": "viz_R8LMR6U6", + "type": "block", + "position": { + "x": 577, + "y": 0, + "w": 301, + "h": 137 + } + }, + { + "item": "viz_DI7fpctI", + "type": "block", + "position": { + "x": 731, + "y": 137, + "w": 469, + "h": 326 + } + }, + { + "item": "viz_nDMI4ZGW", + "type": "block", + "position": { + "x": 878, + "y": 0, + "w": 322, + "h": 137 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-security-events-v1.0" +} diff --git a/integrations/splunk/wazuh-vulnerabilities b/integrations/splunk/wazuh-vulnerabilities new file mode 100644 index 0000000000000..a46023455e789 --- /dev/null +++ b/integrations/splunk/wazuh-vulnerabilities @@ -0,0 +1,257 @@ +{ + "visualizations": { + "viz_XlLyYDmC": { + "type": "splunk.area", + "dataSources": { + "primary": "ds_DljIxEDR" + }, + "options": { + "stackMode": "stacked", + "xAxisTitleText": "timestamp", + "yAxisTitleText": "count" + }, + "title": "Alert severity" + }, + "viz_qzFw5Wx7": { + "type": "splunk.table", + "options": {}, + "dataSources": { + "primary": "ds_Irx4cEkl" + } + }, + "viz_3V3AvVY4": { + "type": "splunk.singlevalueradial", + "dataSources": { + "primary": "ds_oyvgAG73" + }, + "title": "Critical Severity Alerts", + "options": { + "majorColor": "#db566f" + } + }, + "viz_cmEIbZ9q": { + "type": "splunk.singlevalueradial", + "dataSources": { + "primary": "ds_TVyYlSRA" + }, + "title": "Hight Severity Alerts", + "options": { + "majorColor": "#0258a1" + } + }, + "viz_4QSVuglC": { + "type": "splunk.singlevalueradial", + "dataSources": { + "primary": "ds_D0hAYmXA" + }, + "title": "Medium Severity Alerts", + "options": { + "majorColor": "#007d73" + } + }, + "viz_VI9ZdnSO": { + "type": "splunk.singlevalueradial", + "dataSources": { + "primary": "ds_1KrtDz29" + }, + "title": "Low Severity Alerts", + "options": { + "majorColor": "#232323" + } + } + }, + "dataSources": { + "ds_DljIxEDR": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" | timechart count by data.vulnerability.severity useother=false usenull=false", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_1" + }, + "ds_31leL1fM": { + "type": "ds.search", + "options": { + "query": "wazuh-alerts-4.x-sample | timechart count by data.vulnerability.severity", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_2" + }, + "ds_jymjmvtF": { + "type": "ds.search", + "options": { + "query": "wazuh-alerts-4.x-sample | timechart count by data.vulnerability.severity", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_3" + }, + "ds_jEwqnxee": { + "type": "ds.search", + "options": { + "query": "wazuh-alerts-4.x-sample | timechart count by data.vulnerability.severity", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_4" + }, + "ds_Irx4cEkl": { + "type": "ds.search", + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + }, + "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"data.vulnerability.cve\"=\"*\", \"data.vulnerability.package.name\"=\"*\", \"data.vulnerability.package.version\"=\"*\", \"data.vulnerability.severity\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, data.vulnerability.cve, data.vulnerability.package.name, data.vulnerability.package.version, data.vulnerability.severity, rule.id\n\n" + }, + "name": "Search_5" + }, + "ds_oyvgAG73": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"Critical\" | stats count by \"data.vulnerability.severity\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_6" + }, + "ds_TVyYlSRA": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"High\" | stats count by \"data.vulnerability.severity\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_7" + }, + "ds_D0hAYmXA": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"Medium\" | stats count by \"data.vulnerability.severity\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_8" + }, + "ds_1KrtDz29": { + "type": "ds.search", + "options": { + "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"Low\" | stats count by \"data.vulnerability.severity\"", + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + }, + "name": "Search_9" + } + }, + "defaults": { + "dataSources": { + "ds.search": { + "options": { + "queryParameters": { + "latest": "$global_time.latest$", + "earliest": "$global_time.earliest$" + } + } + } + } + }, + "inputs": { + "input_global_trp": { + "type": "input.timerange", + "options": { + "token": "global_time", + "defaultValue": "-60m@m,now" + }, + "title": "Global Time Range" + } + }, + "layout": { + "type": "grid", + "options": {}, + "structure": [ + { + "item": "viz_3V3AvVY4", + "type": "block", + "position": { + "x": 0, + "y": 0, + "w": 279, + "h": 131 + } + }, + { + "item": "viz_XlLyYDmC", + "type": "block", + "position": { + "x": 0, + "y": 131, + "w": 1200, + "h": 284 + } + }, + { + "item": "viz_qzFw5Wx7", + "type": "block", + "position": { + "x": 0, + "y": 415, + "w": 1200, + "h": 251 + } + }, + { + "item": "viz_cmEIbZ9q", + "type": "block", + "position": { + "x": 279, + "y": 0, + "w": 293, + "h": 131 + } + }, + { + "item": "viz_4QSVuglC", + "type": "block", + "position": { + "x": 572, + "y": 0, + "w": 309, + "h": 131 + } + }, + { + "item": "viz_VI9ZdnSO", + "type": "block", + "position": { + "x": 881, + "y": 0, + "w": 319, + "h": 131 + } + } + ], + "globalInputs": [ + "input_global_trp" + ] + }, + "description": "", + "title": "wazuh-vulnerabilities-v1.0" +} diff --git a/integrations/tools/events-generator/.dockerignore b/integrations/tools/events-generator/.dockerignore new file mode 100644 index 0000000000000..0f028b576338e --- /dev/null +++ b/integrations/tools/events-generator/.dockerignore @@ -0,0 +1,2 @@ +.venv +Dockerfile \ No newline at end of file diff --git a/integrations/tools/events-generator/.gitignore b/integrations/tools/events-generator/.gitignore new file mode 100644 index 0000000000000..b694934fbf9b4 --- /dev/null +++ b/integrations/tools/events-generator/.gitignore @@ -0,0 +1 @@ +.venv \ No newline at end of file diff --git a/integrations/tools/events-generator/Dockerfile b/integrations/tools/events-generator/Dockerfile new file mode 100644 index 0000000000000..da32f8c042017 --- /dev/null +++ b/integrations/tools/events-generator/Dockerfile @@ -0,0 +1,4 @@ +FROM python:3.9 +COPY . /home/events-generator/ +WORKDIR /home/events-generator +RUN pip install -r requirements.txt \ No newline at end of file diff --git a/integrations/tools/events-generator/README.md b/integrations/tools/events-generator/README.md new file mode 100644 index 0000000000000..ac43631d9e2e1 --- /dev/null +++ b/integrations/tools/events-generator/README.md @@ -0,0 +1,52 @@ +### Events generator tool + +This python tool provides functionality to generate and index sample events for Wazuh's indices. + +#### Getting started + +Create a virtual environment to install the dependencies of the project. + +```console +python -m venv .venv +source .venv/bin/activate +pip install -r requirements.txt +``` + +Start the events' generator with `./run.py` or `python run.py`. The program takes no required +arguments, as it's configured with default values that will work in most cases during development. +To know more about its capabilities and arguments, display the help menu with `-h`. + +As for now, this tool generates events for the `wazuh-alerts-4.x-*` and `wazuh-archives-4.x-*` indices. +You may also need to create an **index pattern** in _dashboards_ in order to perform +queries to the index from the UI. To do that, go to Dashboards Management > Index Patterns > Create index pattern > wazuh-alerts-4.x-* > timestamp as Time field + +Newer indices, like `wazuh-states-vulnerabilities`, are ECS compliant and use a dedicated events' generator. +You can find it in the [ecs](../../../ecs/) folder. + + +```console +python run.py -o indexer -c 5 -t 1 +INFO:event_generator:Inventory created +INFO:event_generator:Publisher created +INFO:event_generator:Event created +{'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'dRWno40BZRXLJU5t0u6Z', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 168, '_primary_term': 1} +INFO:event_generator:Event created +{'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'dhWno40BZRXLJU5t1u6Y', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 169, '_primary_term': 1} +INFO:event_generator:Event created +{'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'dxWno40BZRXLJU5t2u6i', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 170, '_primary_term': 1} +INFO:event_generator:Event created +{'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'eBWno40BZRXLJU5t3u6v', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 171, '_primary_term': 1} +INFO:event_generator:Event created +{'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'eRWno40BZRXLJU5t4u66', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 172, '_primary_term': 1} +``` + +### Building the Docker image + +```console +docker build -t wazuh/indexer-events-generator:latest . +``` + +Run with: +```console +docker run -it --name=wazuh-indexer-events-generator --rm wazuh/indexer-events-generator python run.py -h +``` \ No newline at end of file diff --git a/integrations/tools/events-generator/requirements.txt b/integrations/tools/events-generator/requirements.txt new file mode 100644 index 0000000000000..37912b81ef184 --- /dev/null +++ b/integrations/tools/events-generator/requirements.txt @@ -0,0 +1 @@ +requests>=2.31.0 \ No newline at end of file diff --git a/integrations/tools/events-generator/run.py b/integrations/tools/events-generator/run.py new file mode 100644 index 0000000000000..8ecf69ada95ad --- /dev/null +++ b/integrations/tools/events-generator/run.py @@ -0,0 +1,205 @@ +#!/usr/bin/python3 + +# Events generator tool for Wazuh's indices. +# Chooses a random element from /alerts.json to index +# Required. Destination of the events. Default: indexer. +# -c: Number of elements to push. Use 0 to run indefinitely. Default: 0 +# -i: index name prefix or module (e.g: wazuh-alerts, wazuh-states-vulnerabilities) +# -t: interval between events in seconds. Default: 5 +# when output is "indexer", the following parameters can be provided: +# -a: indexer's API IP address or hostname. +# -P: indexer's API port number. +# -u: username +# -p: password + + +from abc import ABC, abstractmethod +import argparse +import datetime +import logging +import random +import requests +import time +import json +import urllib3 +# import OpenSearch.opensearchpy + +logging.basicConfig(level=logging.NOTSET) +# Combination to supress certificates validation warning when verify=False +# https://github.com/influxdata/influxdb-python/issues/240#issuecomment-341313420 +logging.getLogger("urllib3").setLevel(logging.ERROR) +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +logger = logging.getLogger("event_generator") + +# ================================================== # + + +class Inventory: + def __init__(self, path: str): + with open(path, "r") as fd: + self.elements = fd.readlines() + self.size = len(self.elements) + + def get_random(self) -> str: + """ + Returns the last element of the list + """ + random.shuffle(self.elements) + return self.elements[self.size-1] + +# ================================================== # + + +class Publisher(ABC): + @abstractmethod + def publish(self, event: str): + pass + +# ================================================== # + + +class PublisherClient(Publisher): + def __init__(self): + # self.client = OpenSearch( + # hosts... + # ) + pass + +# ================================================== # + + +class PublisherHttp(Publisher): + def __init__(self, address: str, port: int, path: str, user: str, password: str): + super() + self.address = address + self.port = port + self.path = path + self.username = user + self.password = password + + def url(self) -> str: + return f"https://{self.address}:{self.port}/{self.path}/_doc" + + def publish(self, event: str): + try: + result = requests.post( + self.url(), + auth=(self.username, self.password), + json=json.loads(event), + verify=False + ) + print(result.json()) + except json.JSONDecodeError as e: + logger.error("Error encoding event " + + event + "\n Caused by: " + e.msg) + +# ================================================== # + + +class PublisherCreator: + @staticmethod + def create(publisher: str, args) -> Publisher: + if publisher == "indexer": + address = args["address"] + port = args["port"] + path = args["index"] + username = args["username"] + password = args["password"] + + return PublisherHttp(address, port, path, username, password) + else: + raise ValueError("Unsupported publisher type") + +# ================================================== # + + +def date_now() -> str: + return datetime.datetime.now(datetime.timezone.utc).strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3]+'+0000' + +# ================================================== # + + +def parse_args(): + parser = argparse.ArgumentParser( + description="Events generator tool for Wazuh's indices. Indexes a random element from /alerts.json", + ) + parser.add_argument( + '-i', '--index', + default="wazuh-alerts-4.x-sample", + help="Destination index name or alias" + ) + parser.add_argument( + '-o', '--output', + choices=['indexer'], + default="indexer", + help="Destination of the events. Default: indexer." + ) + parser.add_argument( + '-m', '--module', + default="wazuh-alerts", + help="Wazuh module to read the alerts from (e.g: wazuh-alerts, wazuh-states-vulnerabilities). Must match a subfolder's name." + ) + # Infinite loop by default + parser.add_argument( + '-c', '--count', + default=0, + type=int, + help="Number of elements to push. Use 0 to run indefinitely. Default: 0" + ) + # Interval of time between events + parser.add_argument( + '-t', '--time', + default=5, + type=int, + help="Interval between events in seconds. Default: 5" + ) + parser.add_argument( + '-a', '--address', + default="localhost", + help="Indexer's API IP address or hostname." + ) + parser.add_argument( + '-P', '--port', + default=9200, + type=int, + help="Indexer's API port number." + ) + parser.add_argument( + '-u', '--username', + default="admin", + help="Indexer's username" + ) + parser.add_argument( + '-p', '--password', + default="admin", + help="Indexer's password" + ) + return parser.parse_args() + + +# ================================================== # + + +def main(args: dict): + inventory = Inventory(f"{args['module']}/alerts.json") + logger.info("Inventory created") + publisher = PublisherCreator.create(args["output"], args) + logger.info("Publisher created") + + count = 0 + max_iter = args["count"] + time_interval = args["time"] + while (count < max_iter or max_iter == 0): + chosen = inventory.get_random().replace("{timestamp}", date_now()) + logger.info("Event created") + publisher.publish(chosen) + + time.sleep(time_interval) + count += 1 + +# ================================================== # + + +if __name__ == '__main__': + main(vars(parse_args())) diff --git a/integrations/tools/events-generator/wazuh-alerts/alerts.json b/integrations/tools/events-generator/wazuh-alerts/alerts.json new file mode 100644 index 0000000000000..d3aea442be327 --- /dev/null +++ b/integrations/tools/events-generator/wazuh-alerts/alerts.json @@ -0,0 +1,1124 @@ +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T17:52:50.390Z","size_after":38,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":23315}} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T00:27:33.061Z","size_after":18,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":25973,"mtime_before":"2023-03-06T00:26:33.061Z","inode_before":81839,"sha1_after":"42b103c8ccf0f552e931159fdccf2072f1444842","changed_attributes":["sha1"],"md5_after":"896a6493ad8dd456f9a9d919d9c74a5e","sha256_after":"6cadaacded787afb101f14c9b404daed8c8800f19199a31024ce91ea1f26"}} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T06:38:30.327Z","size_after":46,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":27089}} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-06T15:35:43.101Z","size_after":47,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":94411}} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.b'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.b'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.font-unix/.cinik'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.font-unix/.cinik'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldlibps.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldlibps.so'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'lib/.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'lib/.so'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 5","id":"4598","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":57,"rule_title":"CIS-CAT 6","notchecked":1,"score":14,"pass":11,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":98,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 4","id":"4044","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":95,"rule_title":"CIS-CAT 6","notchecked":3,"score":23,"pass":6,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 3","id":"3932","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":51,"rule_title":"CIS-CAT 2","notchecked":4,"score":72,"pass":39,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 4","id":"1379","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":100,"rule_title":"CIS-CAT 5","notchecked":2,"score":5,"pass":86,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":9,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 4","id":"4454","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":0,"rule_title":"CIS-CAT 6","notchecked":4,"score":3,"pass":19,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":65,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 2","id":"3476","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":0,"rule_title":"CIS-CAT 3","notchecked":0,"score":62,"pass":70,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":75,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":1,"description":"Sample alert 4","id":"1453","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":46,"rule_title":"CIS-CAT 4","notchecked":3,"score":84,"pass":19,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 5","id":"1418","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":70,"rule_title":"CIS-CAT 3","notchecked":2,"score":74,"pass":41,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":90,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 2","id":"2726","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":80,"rule_title":"CIS-CAT 3","notchecked":4,"score":1,"pass":66,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 1","id":"4746","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":46,"rule_title":"CIS-CAT 2","notchecked":1,"score":55,"pass":84,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 5","id":"457","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":15,"rule_title":"CIS-CAT 1","notchecked":5,"score":42,"pass":85,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":27,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 2","id":"3248","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":79,"rule_title":"CIS-CAT 3","notchecked":2,"score":82,"pass":44,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 4","id":"5382","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":4,"rule_title":"CIS-CAT 4","notchecked":4,"score":31,"pass":12,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 3","id":"4840","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":66,"rule_title":"CIS-CAT 3","notchecked":2,"score":58,"pass":29,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 3","id":"4569","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":78,"rule_title":"CIS-CAT 6","notchecked":1,"score":79,"pass":1,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":20,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 1","id":"809","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":21,"rule_title":"CIS-CAT 1","notchecked":3,"score":76,"pass":13,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":47,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 4","id":"2098","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":16,"rule_title":"CIS-CAT 3","notchecked":1,"score":41,"pass":66,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":16,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 3","id":"2011","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":72,"rule_title":"CIS-CAT 1","notchecked":4,"score":59,"pass":67,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 5","id":"4506","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":12,"rule_title":"CIS-CAT 4","notchecked":1,"score":99,"pass":38,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":49,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 4","id":"1888","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":50,"rule_title":"CIS-CAT 4","notchecked":2,"score":87,"pass":17,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 5","id":"1059","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":94,"rule_title":"CIS-CAT 3","notchecked":3,"score":98,"pass":41,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":58,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 4","id":"531","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":96,"rule_title":"CIS-CAT 6","notchecked":3,"score":8,"pass":97,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 1","id":"986","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":39,"rule_title":"CIS-CAT 6","notchecked":4,"score":51,"pass":96,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 5","id":"3810","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":66,"rule_title":"CIS-CAT 1","notchecked":3,"score":84,"pass":91,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 1","id":"3495","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":74,"rule_title":"CIS-CAT 6","notchecked":0,"score":34,"pass":53,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":8,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 1","id":"116","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":99,"rule_title":"CIS-CAT 4","notchecked":1,"score":46,"pass":28,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 3","id":"3857","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":19,"rule_title":"CIS-CAT 3","notchecked":0,"score":7,"pass":27,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"unknown"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":1,"description":"Sample alert 2","id":"86","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":2,"rule_title":"CIS-CAT 4","notchecked":1,"score":30,"pass":41,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":11,"description":"Sample alert 3","id":"730","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":18,"rule_title":"CIS-CAT 5","notchecked":1,"score":60,"pass":75,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 2","id":"5482","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":16,"rule_title":"CIS-CAT 3","notchecked":1,"score":60,"pass":93,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 5","id":"5587","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":67,"rule_title":"CIS-CAT 3","notchecked":5,"score":7,"pass":48,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"2761","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":92,"rule_title":"CIS-CAT 3","notchecked":3,"score":25,"pass":36,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":11,"description":"Sample alert 4","id":"3750","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":67,"rule_title":"CIS-CAT 6","notchecked":4,"score":44,"pass":73,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":3,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 4","id":"4685","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":2,"rule_title":"CIS-CAT 4","notchecked":3,"score":32,"pass":44,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":34,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 3","id":"1858","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":40,"rule_title":"CIS-CAT 4","notchecked":0,"score":98,"pass":12,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":62,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 1","id":"1740","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":0,"rule_title":"CIS-CAT 5","notchecked":1,"score":79,"pass":52,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":61,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 5","id":"4761","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":88,"rule_title":"CIS-CAT 1","notchecked":2,"score":8,"pass":58,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":21,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":11,"description":"Sample alert 5","id":"3621","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":9,"rule_title":"CIS-CAT 2","notchecked":5,"score":76,"pass":86,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 5","id":"5004","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":83,"rule_title":"CIS-CAT 5","notchecked":0,"score":45,"pass":34,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":17,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 3","id":"3909","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":91,"rule_title":"CIS-CAT 5","notchecked":3,"score":12,"pass":45,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":86,"result":"unknown"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 1","id":"940","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":57,"rule_title":"CIS-CAT 4","notchecked":1,"score":20,"pass":49,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":83,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 5","id":"5026","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":48,"rule_title":"CIS-CAT 6","notchecked":1,"score":5,"pass":46,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 4","id":"2301","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":68,"rule_title":"CIS-CAT 1","notchecked":5,"score":89,"pass":81,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":40,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 5","id":"4721","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":76,"rule_title":"CIS-CAT 1","notchecked":0,"score":13,"pass":59,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 2","id":"939","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":7,"rule_title":"CIS-CAT 1","notchecked":5,"score":5,"pass":76,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":1,"description":"Sample alert 1","id":"3683","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":55,"rule_title":"CIS-CAT 1","notchecked":1,"score":32,"pass":77,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":99,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 4","id":"4425","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":70,"rule_title":"CIS-CAT 5","notchecked":5,"score":68,"pass":60,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":96,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 5","id":"4845","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":87,"rule_title":"CIS-CAT 4","notchecked":1,"score":31,"pass":42,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":3,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 5","id":"4602","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":99,"rule_title":"CIS-CAT 2","notchecked":3,"score":17,"pass":25,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 2","id":"5863","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":1,"rule_title":"CIS-CAT 6","notchecked":3,"score":2,"pass":44,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":90,"result":"unknown"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 5","id":"3899","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":12,"rule_title":"CIS-CAT 2","notchecked":1,"score":68,"pass":60,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 3","id":"5802","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":68,"rule_title":"CIS-CAT 4","notchecked":3,"score":8,"pass":76,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":52,"result":"unknown"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 5","id":"2553","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":31,"rule_title":"CIS-CAT 5","notchecked":1,"score":71,"pass":74,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":96,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 3","id":"5515","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":67,"rule_title":"CIS-CAT 1","notchecked":4,"score":91,"pass":21,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"unknown"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 2","id":"3519","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":20,"rule_title":"CIS-CAT 6","notchecked":2,"score":62,"pass":79,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":42,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 4","id":"4891","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":46,"rule_title":"CIS-CAT 3","notchecked":3,"score":9,"pass":41,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":57,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 5","id":"4265","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":20,"rule_title":"CIS-CAT 2","notchecked":3,"score":48,"pass":12,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":45,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 2","id":"5205","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":98,"rule_title":"CIS-CAT 6","notchecked":1,"score":97,"pass":63,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 5","id":"507","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":58,"rule_title":"CIS-CAT 5","notchecked":0,"score":0,"pass":14,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":21,"result":"unknown"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 1","id":"3796","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":7,"rule_title":"CIS-CAT 6","notchecked":5,"score":18,"pass":11,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":46,"result":"unknown"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 4","id":"5794","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":20,"rule_title":"CIS-CAT 5","notchecked":3,"score":60,"pass":63,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 4","id":"188","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":6,"rule_title":"CIS-CAT 4","notchecked":0,"score":2,"pass":92,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 3","id":"2333","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":65,"rule_title":"CIS-CAT 3","notchecked":0,"score":49,"pass":25,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 5","id":"2835","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":94,"rule_title":"CIS-CAT 3","notchecked":1,"score":53,"pass":41,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 3","id":"5915","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":99,"rule_title":"CIS-CAT 1","notchecked":2,"score":36,"pass":38,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 5","id":"5311","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":58,"rule_title":"CIS-CAT 3","notchecked":4,"score":29,"pass":17,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 5","id":"4972","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":44,"rule_title":"CIS-CAT 3","notchecked":3,"score":27,"pass":23,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"unknown"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 4","id":"3913","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":71,"rule_title":"CIS-CAT 6","notchecked":2,"score":22,"pass":77,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":75,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 4","id":"3530","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":2,"rule_title":"CIS-CAT 1","notchecked":0,"score":22,"pass":64,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":11,"result":"unknown"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 1","id":"434","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":30,"rule_title":"CIS-CAT 1","notchecked":2,"score":65,"pass":55,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":24,"result":"unknown"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 2","id":"684","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":68,"rule_title":"CIS-CAT 2","notchecked":0,"score":11,"pass":26,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 4","id":"2819","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":23,"rule_title":"CIS-CAT 1","notchecked":1,"score":49,"pass":13,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":11,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 2","id":"702","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":44,"rule_title":"CIS-CAT 4","notchecked":5,"score":37,"pass":63,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":89,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 5","id":"1839","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":81,"rule_title":"CIS-CAT 6","notchecked":2,"score":2,"pass":1,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 4","id":"1899","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":85,"rule_title":"CIS-CAT 2","notchecked":1,"score":20,"pass":59,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":84,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"2808","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":85,"rule_title":"CIS-CAT 2","notchecked":5,"score":46,"pass":31,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 5","id":"2840","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":97,"rule_title":"CIS-CAT 5","notchecked":3,"score":34,"pass":35,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":43,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 3","id":"5978","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":38,"rule_title":"CIS-CAT 1","notchecked":5,"score":58,"pass":71,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":85,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 5","id":"3237","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":88,"rule_title":"CIS-CAT 5","notchecked":1,"score":66,"pass":52,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":1,"description":"Sample alert 4","id":"2993","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":52,"rule_title":"CIS-CAT 1","notchecked":2,"score":25,"pass":68,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 5","id":"2141","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":67,"rule_title":"CIS-CAT 5","notchecked":4,"score":95,"pass":78,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":69,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 3","id":"5805","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":65,"rule_title":"CIS-CAT 1","notchecked":4,"score":44,"pass":36,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":91,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"5561","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":76,"rule_title":"CIS-CAT 3","notchecked":4,"score":85,"pass":28,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 1","id":"2087","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":75,"rule_title":"CIS-CAT 6","notchecked":4,"score":54,"pass":58,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":4,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"3402","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":11,"rule_title":"CIS-CAT 5","notchecked":5,"score":64,"pass":20,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":64,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 3","id":"5032","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":37,"rule_title":"CIS-CAT 4","notchecked":4,"score":0,"pass":11,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":70,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 2","id":"2352","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":87,"rule_title":"CIS-CAT 3","notchecked":3,"score":65,"pass":74,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 4","id":"5484","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":59,"rule_title":"CIS-CAT 5","notchecked":3,"score":65,"pass":26,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":79,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 3","id":"4635","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":28,"rule_title":"CIS-CAT 2","notchecked":5,"score":58,"pass":8,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 4","id":"426","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":62,"rule_title":"CIS-CAT 3","notchecked":5,"score":23,"pass":83,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":15,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":1,"description":"Sample alert 5","id":"1567","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":26,"rule_title":"CIS-CAT 6","notchecked":4,"score":29,"pass":54,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 5","id":"3333","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":49,"rule_title":"CIS-CAT 2","notchecked":0,"score":51,"pass":2,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":41,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 3","id":"3284","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":48,"rule_title":"CIS-CAT 5","notchecked":4,"score":18,"pass":87,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 3","id":"2626","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":89,"rule_title":"CIS-CAT 1","notchecked":4,"score":53,"pass":62,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":54,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 2","id":"422","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":84,"rule_title":"CIS-CAT 6","notchecked":4,"score":99,"pass":82,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 4","id":"112","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":41,"rule_title":"CIS-CAT 4","notchecked":2,"score":16,"pass":92,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":96,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 2","id":"5565","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":91,"rule_title":"CIS-CAT 6","notchecked":2,"score":33,"pass":77,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":32,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 2","id":"2565","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":26,"rule_title":"CIS-CAT 4","notchecked":0,"score":96,"pass":30,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":4,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 1","id":"3334","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":71,"rule_title":"CIS-CAT 1","notchecked":5,"score":98,"pass":34,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":48,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 2","id":"5080","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":65,"rule_title":"CIS-CAT 4","notchecked":3,"score":83,"pass":52,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":98,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 2","id":"2309","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":70,"rule_title":"CIS-CAT 4","notchecked":3,"score":31,"pass":52,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 4","id":"4820","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":6,"rule_title":"CIS-CAT 6","notchecked":2,"score":0,"pass":7,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":36,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 5","id":"5126","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":3,"rule_title":"CIS-CAT 2","notchecked":1,"score":19,"pass":83,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":5,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"5305","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":99,"rule_title":"CIS-CAT 1","notchecked":0,"score":0,"pass":20,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":46,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 2","id":"925","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":43,"rule_title":"CIS-CAT 6","notchecked":1,"score":75,"pass":28,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":52,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 2","id":"277","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":86,"rule_title":"CIS-CAT 3","notchecked":5,"score":84,"pass":54,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":63,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 2","id":"77","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":10,"rule_title":"CIS-CAT 2","notchecked":1,"score":46,"pass":37,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 2","id":"1151","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":93,"rule_title":"CIS-CAT 3","notchecked":3,"score":13,"pass":42,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"3752","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":55,"rule_title":"CIS-CAT 4","notchecked":3,"score":54,"pass":20,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":62,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 3","id":"2291","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":23,"rule_title":"CIS-CAT 5","notchecked":1,"score":95,"pass":68,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 4","id":"2466","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":89,"rule_title":"CIS-CAT 6","notchecked":0,"score":42,"pass":25,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":69,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 3","id":"598","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":54,"rule_title":"CIS-CAT 2","notchecked":2,"score":32,"pass":64,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 5","id":"4816","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":95,"rule_title":"CIS-CAT 6","notchecked":2,"score":11,"pass":98,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"notchecked"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 3","id":"3079","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":30,"rule_title":"CIS-CAT 5","notchecked":1,"score":57,"pass":35,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 5","id":"4497","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":17,"rule_title":"CIS-CAT 4","notchecked":4,"score":84,"pass":31,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":67,"result":"pass"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 3","id":"5071","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":36,"rule_title":"CIS-CAT 1","notchecked":0,"score":0,"pass":77,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":72,"result":"es"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 5","id":"2703","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":90,"rule_title":"CIS-CAT 5","notchecked":3,"score":73,"pass":6,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"fail"}},"location":""} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-8631 affects grub-legacy-ec2","id":"23503","firedtimes":32,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"grub-legacy-ec2","source":"cloud-init","version":"19.4-33-gbb4131a2-0ubuntu1~16.04.1","architecture":"all","condition":"Package less or equal than 19.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"}},"cve":"CVE-2020-8631","title":"CVE-2020-8631 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.","severity":"Low","published":"2020-02-05","updated":"2020-02-21","state":"Fixed","cwe_reference":"CWE-330","references":["http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html","https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795","https://github.com/canonical/cloud-init/pull/204","https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html","https://nvd.nist.gov/vuln/detail/CVE-2020-8631","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8631.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-20482 affects tar","id":"23504","firedtimes":88,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"tar","version":"1.29b-2ubuntu0.1","architecture":"amd64","condition":"Package less or equal than 1.30"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.700000"}},"cve":"CVE-2018-20482","title":"CVE-2018-20482 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-835","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377","https://bugzilla.redhat.com/show_bug.cgi?id=1662346"],"references":["http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454","http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html","http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html","http://www.securityfocus.com/bid/106354","https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html","https://news.ycombinator.com/item?id=18745431","https://security.gentoo.org/glsa/201903-05","https://twitter.com/thatcks/status/1076166645708668928","https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug","https://nvd.nist.gov/vuln/detail/CVE-2018-20482","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20482.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20482"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-14988 affects libopenexr22","id":"23504","firedtimes":189,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libopenexr22","source":"openexr","version":"2.2.0-11.1ubuntu1.2","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-14988","title":"** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid.","severity":"Medium","published":"2017-10-03","updated":"2019-09-23","state":"Pending confirmation","cwe_reference":"CWE-400","references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00063.html","https://github.com/openexr/openexr/issues/248","https://nvd.nist.gov/vuln/detail/CVE-2017-14988"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2013-4235 affects passwd","id":"23503","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"passwd","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2015-5191 affects open-vm-tools","id":"23504","firedtimes":396,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"open-vm-tools","version":"2:10.2.0-3~ubuntu0.16.04.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.700000"}},"cve":"CVE-2015-5191","title":"CVE-2015-5191 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","severity":"Medium","published":"2017-07-28","updated":"2017-08-08","state":"Unfixed","cwe_reference":"CWE-362","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869633"],"references":["http://www.securityfocus.com/bid/100011","http://www.securitytracker.com/id/1039013","https://www.vmware.com/security/advisories/VMSA-2017-0013.html","https://nvd.nist.gov/vuln/detail/CVE-2015-5191","http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5191.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-bin","id":"23504","firedtimes":191,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-bin","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-20483 affects wget","id":"23505","firedtimes":175,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"wget","version":"1.17.1-1ubuntu1.5","architecture":"amd64","condition":"Package less than 1.20.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-20483","title":"set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.","severity":"High","published":"2018-12-26","updated":"2019-04-09","state":"Fixed","cwe_reference":"CWE-255","references":["http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS","http://www.securityfocus.com/bid/106358","https://access.redhat.com/errata/RHSA-2019:3701","https://security.gentoo.org/glsa/201903-08","https://security.netapp.com/advisory/ntap-20190321-0002/","https://twitter.com/marcan42/status/1077676739877232640","https://usn.ubuntu.com/3943-1/","https://nvd.nist.gov/vuln/detail/CVE-2018-20483"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2017-12588 affects rsyslog","id":"23506","firedtimes":64,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsyslog","version":"8.16.0-1ubuntu3.1","architecture":"amd64","condition":"Package less or equal than 8.27.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-12588","title":"The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.","severity":"Critical","published":"2017-08-06","updated":"2017-08-14","state":"Fixed","cwe_reference":"CWE-134","references":["https://github.com/rsyslog/rsyslog/blob/master/ChangeLog","https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b","https://github.com/rsyslog/rsyslog/pull/1565","https://nvd.nist.gov/vuln/detail/CVE-2017-12588"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-8769 affects elfutils","id":"23505","firedtimes":45,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"elfutils","version":"0.170-0.4ubuntu0.1","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-8769","title":"elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.","severity":"High","published":"2018-03-18","updated":"2019-10-03","state":"Pending confirmation","cwe_reference":"CWE-125","references":["https://sourceware.org/bugzilla/show_bug.cgi?id=22976","https://nvd.nist.gov/vuln/detail/CVE-2018-8769"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-7738 affects uuid-runtime","id":"23505","firedtimes":130,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2015-5191 affects open-vm-tools","id":"23504","firedtimes":396,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"open-vm-tools","version":"2:10.2.0-3~ubuntu0.16.04.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.700000"}},"cve":"CVE-2015-5191","title":"CVE-2015-5191 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","severity":"Medium","published":"2017-07-28","updated":"2017-08-08","state":"Unfixed","cwe_reference":"CWE-362","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869633"],"references":["http://www.securityfocus.com/bid/100011","http://www.securitytracker.com/id/1039013","https://www.vmware.com/security/advisories/VMSA-2017-0013.html","https://nvd.nist.gov/vuln/detail/CVE-2015-5191","http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5191.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-19645 affects libsqlite3-0","id":"23503","firedtimes":18,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libsqlite3-0","source":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-9502 affects curl","id":"23504","firedtimes":334,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"curl","version":"7.47.0-1ubuntu2.14","architecture":"amd64","condition":"Package less or equal than 7.54.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"low"},"base_score":"5.300000"}},"cve":"CVE-2017-9502","title":"In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given \"URL\" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string \"file://\").","severity":"Medium","published":"2017-06-14","updated":"2017-07-08","state":"Fixed","cwe_reference":"CWE-119","references":["http://openwall.com/lists/oss-security/2017/06/14/1","http://www.securityfocus.com/bid/99120","http://www.securitytracker.com/id/1038697","https://curl.haxx.se/docs/adv_20170614.html","https://nvd.nist.gov/vuln/detail/CVE-2017-9502"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2017-12588 affects rsyslog","id":"23506","firedtimes":64,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsyslog","version":"8.16.0-1ubuntu3.1","architecture":"amd64","condition":"Package less or equal than 8.27.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-12588","title":"The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.","severity":"Critical","published":"2017-08-06","updated":"2017-08-14","state":"Fixed","cwe_reference":"CWE-134","references":["https://github.com/rsyslog/rsyslog/blob/master/ChangeLog","https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b","https://github.com/rsyslog/rsyslog/pull/1565","https://nvd.nist.gov/vuln/detail/CVE-2017-12588"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17540 affects libmagickcore-6.q16-3","id":"23504","firedtimes":5,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libmagickcore-6.q16-3","source":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2017-18342 affects python3-yaml","id":"23506","firedtimes":65,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.11-3build1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-18342","title":"CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","severity":"Critical","published":"2018-06-27","updated":"2019-06-24","state":"Unfixed","cwe_reference":"CWE-20","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878"],"references":["https://github.com/marshmallow-code/apispec/issues/278","https://github.com/yaml/pyyaml/blob/master/CHANGES","https://github.com/yaml/pyyaml/issues/193","https://github.com/yaml/pyyaml/pull/74","https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","https://security.gentoo.org/glsa/202003-45","https://nvd.nist.gov/vuln/detail/CVE-2017-18342","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-19645 affects libsqlite3-0","id":"23503","firedtimes":18,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libsqlite3-0","source":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Canada", "location": {"lat": 49.2496605, "lon": -123.119339}, "region_name": "Vancouver", "city_name": "Vancouver"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Spain", "location": {"lat": 37.1881714, "lon": -3.6066699}, "region_name": "Andaluc\u00eda", "city_name": "Granada"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 75.0.101.245] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Germany", "location": {"lat": 52.524, "lon": 13.411}, "region_name": "Berlin", "city_name": "Berlin"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Germany", "location": {"lat": 52.524, "lon": 13.411}, "region_name": "Berlin", "city_name": "Berlin"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "United States of America", "location": {"lat": 40.7142715, "lon": -74.0059662}, "region_name": "New York", "city_name": "New York"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "Docker: Container nginx_container restarted", "groups": ["docker"], "id": "87909", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "restart", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "nginx_container", "maintainer": "NGINX Docker Maintainers "}, "ID": "5f91cd9a9f4c5b370b7314c29cc8a2a28c72a61f9659953fa75df643502b3693"}, "scope": "local", "timeNano": "1586460544801840896.000000", "from": "nginx", "time": "1586460544", "status": "restart"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "Docker: Container test_container received the action: die", "groups": ["docker"], "id": "87928", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "die", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "test_container", "exitCode": "0", "maintainer": "NGINX Docker Maintainers "}, "ID": "6d145b0c801fce46301fa96354d0ea29e4b1ea82fe7021799a01e2abe04a18c8"}, "scope": "local", "timeNano": "1587084648640092672.000000", "from": "nginx", "time": "1587084648", "status": "die"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "Docker: Container test_container started", "groups": ["docker"], "id": "87928"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "start", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "test_container", "maintainer": "NGINX Docker Maintainers "}, "ID": "ebe3de16ea5b18aecc216f1cabbab887fd7aa7408dbd761719cd69b3089120fa"}, "scope": "local", "timeNano": "1587084600046795264.000000", "from": "nginx", "time": "1587084600", "status": "start"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "Docker: Network bridge connected", "groups": ["docker"], "id": "87928"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "connect", "Type": "network", "Actor": {"Attributes": {"container": "fcaa90b845d05ec7ae7a5097a8596b35edf6d368a00f93fe9872a6d5b1449bb9", "name": "bridge", "type": "bridge"}, "ID": "d69c82315c95fee242619571726ead25f9447065db44e814bd3e07ea00daebb2"}, "scope": "local", "timeNano": "1587084599776133888.000000", "time": "1587084599"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 4, "description": "Docker: Network bridge disconnected", "groups": ["docker"], "id": "87929", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "disconnect", "Type": "network", "Actor": {"Attributes": {"container": "555b9855a3d5f97bc5156e3d61bcd67ef236f2875cdfaf4e49659c085c69f942", "name": "bridge", "type": "bridge"}, "ID": "26fc9c96a6d0077c55b4ab068408df1be2c77789254262ae65d4f469b7f520fb"}, "scope": "local", "timeNano": "1586460544485358336.000000", "time": "1586460544"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 7, "description": "Docker: Container nginx_container received the action: kill", "groups": ["docker"], "id": "87924", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "kill", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "nginx_container", "signal": "15", "maintainer": "NGINX Docker Maintainers "}, "ID": "a5f7bce90032373cf7f6a489ba8ba19744dafef91a5f9eac072e3f7265475ac2"}, "scope": "local", "timeNano": "1586460544324527616.000000", "from": "nginx", "time": "1586460544", "status": "kill"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 10, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 10, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "India", "location": {"lat": 19.0728302, "lon": 72.8826065}, "region_name": "Bombay", "city_name": "Bombay"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 10, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 70.24.101.214] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 10, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Spain", "location": {"lat": 37.1881714, "lon": -3.6066699}, "region_name": "Andaluc\u00eda", "city_name": "Granada"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 2, "mail": false, "level": 3, "description": "Docker: Container nginx_container stopped", "groups": ["docker"], "id": "87904", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "stop", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "nginx_container", "maintainer": "NGINX Docker Maintainers "}, "ID": "1645a13ddb2f0ff8f5615b4535e57d4f08b6e444effc71b21962473edbffa758"}, "scope": "local", "timeNano": "1586461541373152000.000000", "from": "nginx", "time": "1586461541", "status": "stop"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 2, "mail": false, "level": 5, "pci_dss": ["10.2.7"], "description": "Docker: Started shell session in container nginx_container", "groups": ["docker"], "id": "87908", "nist_800_53": ["AU.14"], "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "exec_start: bash ", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "nginx_container", "maintainer": "NGINX Docker Maintainers ", "execID": "69819869eefb3795e2015b603a2f85d6f5f556e5776428b5360fc9dfe5bfce47"}, "ID": "ff2d3b3018f1a5d97655666b7754c222a76034d536ef1de451a02fb524579c77"}, "timeNano": "1587404196804128000.000000", "from": "nginx", "time": "1587404196", "status": "exec_start: bash "}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Image or repository wazuh/wazuh pulled", "id": "87932", "firedtimes": 1, "mail": false, "groups": ["docker"], "pci_dss": ["10.2.7"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"status": "pull", "id": "wazuh/wazuh:3.9.2_7.1.1", "Type": "image", "Action": "pull", "Actor": {"ID": "wazuh/wazuh:3.9.2_7.1.1", "Attributes": {"name": "wazuh/wazuh"}}, "scope": "local", "time": "1563354346", "timeNano": "1563354346181027328.000000"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Image or repository wazuh/wazuh-elasticsearch pulled", "id": "87932", "firedtimes": 2, "mail": false, "groups": ["docker"], "pci_dss": ["10.2.7"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"status": "pull", "id": "wazuh/wazuh-elasticsearch:3.9.2_7.1.1", "Type": "image", "Action": "pull", "Actor": {"ID": "wazuh/wazuh-elasticsearch:3.9.2_7.1.1", "Attributes": {"license": "Elastic License", "name": "wazuh/wazuh-elasticsearch", "org": {"label-schema": {"build-date": "20190305", "license": "GPLv2", "name": "elasticsearch", "schema-version": "1.0", "url": "https://www.elastic.co/products/elasticsearch", "vcs-url": "https://github.com/elastic/elasticsearch", "vendor": "Elastic", "version": "7.1.1"}}}}, "scope": "local", "time": "1563354404", "timeNano": "1563354404067201536.000000"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Image or repository wazuh/wazuh-kibana pulled", "id": "87932", "firedtimes": 3, "mail": false, "groups": ["docker"], "pci_dss": ["10.2.7"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"status": "pull", "id": "wazuh/wazuh-kibana:3.9.2_7.1.1", "Type": "image", "Action": "pull", "Actor": {"ID": "wazuh/wazuh-kibana:3.9.2_7.1.1", "Attributes": {"license": "Elastic License", "name": "wazuh/wazuh-kibana", "org": {"label-schema": {"build-date": "20190305", "license": "GPLv2", "name": "kibana", "schema-version": "1.0", "url": "https://www.elastic.co/products/kibana", "vcs-url": "https://github.com/elastic/kibana", "vendor": "Elastic", "version": "7.1.1"}}}}, "scope": "local", "time": "1563354404", "timeNano": "1563354404067201536.000000"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Image or repository wazuh/wazuh-nginx pulled", "id": "87932", "firedtimes": 3, "mail": false, "groups": ["docker"], "pci_dss": ["10.2.7"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"status": "pull", "id": "wazuh/wazuh-nginx:3.9.2_7.1.1", "Type": "image", "Action": "pull", "Actor": {"ID": "wazuh/wazuh-nginx:3.9.2_7.1.1", "Attributes": {"maintainer": "NGINX Docker Maintainers ", "name": "wazuh/wazuh-nginx"}}}, "scope": "local", "time": "1563354404", "timeNano": "1563354404067201536.000000"}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Network vagrant_default created", "id": "87930", "firedtimes": 1, "mail": false, "pci_dss": ["10.2.7"], "groups": ["docker"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Type": "network", "Action": "create", "Actor": {"ID": "80f3e2aad6cb19bcc14751551f4ea20037e41c07491a6cf4ccf093b978a8955c", "Attributes": {"name": "vagrant_default", "type": "bridge"}}, "scope": "local", "time": "1563354307", "timeNano": "1563354307459382528.000000"}}, "location": ""} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "India", "location": {"lat": 19.0728302, "lon": 72.8826065}, "region_name": "Bombay", "city_name": "Bombay"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "India", "location": {"lat": 19.0728302, "lon": 72.8826065}, "region_name": "Bombay", "city_name": "Bombay"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "United States of America", "location": {"lat": 40.7142715, "lon": -74.0059662}, "region_name": "New York", "city_name": "New York"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Australia", "location": {"lat": -33.8678513, "lon": 151.2073212}, "region_name": "Sydney", "city_name": "Sydney"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "France", "location": {"lat": 48.8534088, "lon": 2.3487999}, "region_name": "Paris", "city_name": "Paris"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Canada", "location": {"lat": 49.2496605, "lon": -123.119339}, "region_name": "Vancouver", "city_name": "Vancouver"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 12}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"integration": "aws", "aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2020-04-22T11:17:08Z", "instanceId": "i-0b0b8b34a48c8f1c4", "networkInterfaces": {"networkInterfaceId": "eni-01e777fb9acd548e4", "subnetId": "subnet-7930da22", "vpcId": "vpc-68e3c60f", "privateDnsName": "ip-10-0-2-2.ec2.internal", "publicIp": "40.220.125.204", "publicDnsName": "ec2-40.220.125.204.compute-1.amazonaws.com", "privateIpAddress": "10.0.2.2"}, "instanceState": "running", "imageId": "ami-0ff8a91507f77f900", "instanceType": "t2.small", "imageDescription": "Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2", "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOCBIG", "arn": "arn:aws:iam::186154171780:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1a"}}, "description": "EC2 instance i-0b0b8b34a48c8f1c4 is communicating with a remote host on an unusual server port 5060.", "source": "guardduty", "type": "Behavior:EC2/NetworkPortUnusual", "title": "Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.", "accountId": "18773455640", "createdAt": "2024-07-01T05:44:59.824Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "ACTOR", "detectorId": "cab38390b728c06fb2897dfcebffc80d", "eventFirstSeen": "2024-07-01T05:44:59.824Z", "eventLastSeen": "2024-07-04T05:44:59.824Z", "additionalInfo": {"localPort": "2222", "outBytes": "2524", "inBytes": "7187", "unusual": "1323"}, "count": "3251", "action": {"actionType": "NETWORK_CONNECTION", "networkConnectionAction": {"localIpDetails": {"ipAddressV4": "10.0.2.2"}, "protocol": "TCP", "blocked": "false", "connectionDirection": "OUTBOUND", "localPortDetails": {"port": "36220", "portName": "Unknown"}, "remotePortDetails": {"port": "5050", "portName": "Unknown"}, "remoteIpDetails": {"country": {"countryName": "Italy"}, "city": {"cityName": "Palermo"}, "geoLocation": {"lon": "13.334100", "lat": "38.129000"}, "organization": {"asnOrg": "Net Connections", "org": "Net Connections", "isp": "Net Connections", "asn": "1547"}, "ipAddressV4": "75.0.101.245"}}}, "serviceName": "guardduty"}, "id": "06b8d0602d109db1282f9143809f80b8", "region": "ap-east-1", "arn": "arn:aws:guardduty:ap-northeast-3:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8", "updatedAt": "2020-04-22T07:18:12.778Z", "log_info": {"s3bucket": "aws-sample-bucket-3", "log_file": "guardduty/2024/07/04/05/firehose_guardduty-1-2024-07-04-05-44-59-824b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Spain", "location": {"lat": 37.1881714, "lon": -3.6066699}, "region_name": "Andaluc\u00eda", "city_name": "Granada"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"integration": "aws", "aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2020-04-22T11:17:08Z", "instanceId": "i-0b0b8b34a48c8f1c4", "networkInterfaces": {"networkInterfaceId": "eni-01e777fb9acd548e4", "subnetId": "subnet-7930da22", "vpcId": "vpc-68e3c60f", "privateDnsName": "ip-10-0-2-2.ec2.internal", "publicIp": "40.220.125.204", "publicDnsName": "ec2-40.220.125.204.compute-1.amazonaws.com", "privateIpAddress": "10.0.2.2"}, "instanceState": "running", "imageId": "ami-0ff8a91507f77f900", "instanceType": "t2.small", "imageDescription": "Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2", "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOCBIG", "arn": "arn:aws:iam::186154171780:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1a"}}, "description": "EC2 instance i-0b0b8b34a48c8f1c4 is communicating with a remote host on an unusual server port 5060.", "source": "guardduty", "type": "Behavior:EC2/NetworkPortUnusual", "title": "Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.", "accountId": "18773455640", "createdAt": "2024-07-01T05:44:59.824Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "ACTOR", "detectorId": "cab38390b728c06fb2897dfcebffc80d", "eventFirstSeen": "2024-07-01T05:44:59.824Z", "eventLastSeen": "2024-07-04T05:44:59.824Z", "additionalInfo": {"localPort": "2222", "outBytes": "2524", "inBytes": "7187", "unusual": "1323"}, "count": "3251", "action": {"actionType": "NETWORK_CONNECTION", "networkConnectionAction": {"localIpDetails": {"ipAddressV4": "10.0.2.2"}, "protocol": "TCP", "blocked": "false", "connectionDirection": "OUTBOUND", "localPortDetails": {"port": "36220", "portName": "Unknown"}, "remotePortDetails": {"port": "5050", "portName": "Unknown"}, "remoteIpDetails": {"country": {"countryName": "Italy"}, "city": {"cityName": "Palermo"}, "geoLocation": {"lon": "13.334100", "lat": "38.129000"}, "organization": {"asnOrg": "Net Connections", "org": "Net Connections", "isp": "Net Connections", "asn": "1547"}, "ipAddressV4": "75.0.101.245"}}}, "serviceName": "guardduty"}, "id": "06b8d0602d109db1282f9143809f80b8", "region": "ap-east-1", "arn": "arn:aws:guardduty:ap-northeast-3:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8", "updatedAt": "2020-04-22T07:18:12.778Z", "log_info": {"s3bucket": "aws-sample-bucket-3", "log_file": "guardduty/2024/07/04/05/firehose_guardduty-1-2024-07-04-05-44-59-824b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Germany", "location": {"lat": 52.524, "lon": 13.411}, "region_name": "Berlin", "city_name": "Berlin"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": true, "level": 12, "description": "AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts", "groups": ["amazon", "aws", "aws_macie"], "id": "80355", "firedtimes": 10}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "CRITICAL", "actor": "resources.wazuh.sample.com", "summary": {"Timestamps": "2024-06-27T08:55:29.145Z", "Description": "S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts", "Bucket": "resources.wazuh.sample.com,", "Record Count": "1", "Event Count": "1", "recipientAccountId": "166157441400", "ACL": {"resources": {"wazuh": {"com": {"Owner": {"DisplayName": "wazuh", "ID": "3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}}, "risk-score": "9", "notification-type": "ALERT_CREATED", "name": "S3 Bucket IAM policy grants global read rights", "created-at": "2024-06-27T08:55:29.145Z", "source": "macie", "url": "https://mt.eu-west-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aeu-west-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded", "tags": {"value": "Open Permissions,Basic Alert,"}, "alert-arn": "arn:aws:macie:eu-west-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed", "region": "ap-southeast-1", "log_info": {"s3bucket": "aws-sample-bucket-9", "log_file": "macie/2024/06/30/08/firehose_macie-1-2024-06-30-08-55-29-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2024-06-30-08-55-29-145b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Canada", "location": {"lat": 49.2496605, "lon": -123.119339}, "region_name": "Vancouver", "city_name": "Vancouver"}} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0050-ms-exchange_rules.xml", "relative_dirname": "ruleset/rules", "id": 3852, "level": 9, "status": "enabled", "details": {"frequency": "14", "timeframe": "120", "ignore": "240", "if_matched_sid": "3802", "same_source_ip": ""}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "ms", "exchange"], "description": "ms-exchange: Multiple e-mail 500 error code (spam)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3306, "level": 6, "status": "enabled", "details": {"if_sid": "3301, 3302", "match": " blocked using "}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: IP Address black-listed by anti-spam (blocked)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0075-cisco-ios_rules.xml", "relative_dirname": "ruleset/rules", "id": 4722, "level": 3, "status": "enabled", "details": {"if_sid": "4715", "id": "^%SEC_LOGIN-5-LOGIN_SUCCESS"}, "pci_dss": ["10.2.5"], "gpg13": ["3.6"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "cisco_ios"], "description": "Cisco IOS: Successful login to the router."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0080-sonicwall_rules.xml", "relative_dirname": "ruleset/rules", "id": 4851, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "ignore": "60", "if_matched_sid": "4803"}, "pci_dss": ["10.6.1"], "gpg13": ["3.5"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["service_availability", "syslog", "sonicwall"], "description": "SonicWall: Multiple firewall error messages."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4386, "level": 10, "status": "enabled", "details": {"frequency": "10", "timeframe": "240", "if_matched_sid": "4334", "same_source_ip": ""}, "pci_dss": ["11.4", "10.2.4", "10.2.5"], "gpg13": ["7.1"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["SI.4", "AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access", "Initial Access"], "id": ["T1110", "T1133"], "technique": ["Brute Force", "External Remote Services"]}, "groups": ["authentication_failures", "syslog", "pix"], "description": "PIX: Multiple AAA (VPN) authentication failures."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3353, "level": 10, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "if_matched_sid": "3303", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0045-mailscanner_rules.xml", "relative_dirname": "ruleset/rules", "id": 3751, "level": 6, "status": "enabled", "details": {"frequency": "8", "timeframe": "180", "if_matched_sid": "3702", "same_source_ip": ""}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access", "Collection"], "id": ["T1110", "T1114"], "technique": ["Brute Force", "Email Collection"]}, "groups": ["multiple_spam", "syslog", "mailscanner"], "description": "mailscanner: Multiple attempts of spam."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3151, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3102", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Sender domain has bogus MX record. It should not be sending e-mail."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3158, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3108", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple pre-greetings rejects."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0095-sshd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5703, "level": 10, "status": "enabled", "details": {"frequency": "6", "timeframe": "360", "if_matched_sid": "5702", "same_source_ip": ""}, "pci_dss": ["11.4"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["syslog", "sshd"], "description": "sshd: Possible breakin attempt (high number of reverse lookup errors)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4507, "level": 8, "status": "enabled", "details": {"if_sid": "4502", "id": "^00515"}, "pci_dss": ["10.2.5", "10.2.2"], "gpg13": ["7.8"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "AC.6"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "netscreenfw"], "description": "Netscreen firewall: Successfull admin login"}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5302, "level": 9, "status": "enabled", "details": {"if_sid": "5301", "user": "^root"}, "pci_dss": ["10.2.4", "10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["authentication_failed", "syslog", "su"], "description": "User missed the password to change UID to root."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4550, "level": 10, "status": "enabled", "details": {"frequency": "6", "timeframe": "180", "ignore": "60", "if_matched_sid": "4503", "same_source_ip": ""}, "pci_dss": ["1.4", "10.6.1", "11.4"], "gpg13": ["4.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1", "164.312.b"], "nist_800_53": ["SC.7", "AU.6", "SI.4"], "tsc": ["CC6.7", "CC6.8", "CC7.2", "CC7.3", "CC6.1"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["netscreenfw"], "description": "Netscreen firewall: Multiple critical messages from same source IP."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4551, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "180", "ignore": "60", "if_matched_sid": "4503"}, "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["netscreenfw"], "description": "Netscreen firewall: Multiple critical messages."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0040-imapd_rules.xml", "relative_dirname": "ruleset/rules", "id": 3602, "level": 3, "status": "enabled", "details": {"if_sid": "3600", "match": "Authenticated user="}, "pci_dss": ["10.2.5"], "gpg13": ["7.1"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "imapd"], "description": "Imapd user login."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2960, "level": 2, "status": "enabled", "details": {"decoded_as": "gpasswd", "match": "added by"}, "gpg13": ["7.9", "4.13"], "gdpr": ["IV_32.2"], "mitre": {"tactic": ["Persistence"], "id": ["T1136"], "technique": ["Create Account"]}, "groups": ["syslog", "yum"], "description": "User added to group."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5403, "level": 4, "status": "enabled", "details": {"if_sid": "5400", "if_fts": ""}, "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "First time user executed sudo."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5402, "level": 3, "status": "enabled", "details": {"if_sid": "5400", "regex": " ; USER=root ; COMMAND=| ; USER=root ; TSID=S+ ; COMMAND="}, "pci_dss": ["10.2.5", "10.2.2"], "gpg13": ["7.6", "7.8", "7.13"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "AC.6"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Successful sudo to ROOT executed."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3105, "level": 5, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=553 5.1.8 "}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Sender domain is not found (553: Requested action not taken)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3153, "level": 6, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3104", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple relaying attempts of spam."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3108, "level": 6, "status": "enabled", "details": {"if_sid": "3100", "match": "rejecting commands from"}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Sendmail rejected due to pre-greeting."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0090-telnetd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5601, "level": 5, "status": "enabled", "details": {"if_sid": "5600", "match": "refused connect from "}, "gdpr": ["IV_35.7.d"], "mitre": {"tactic": ["Command and Control"], "id": ["T1095"], "technique": ["Standard Non-Application Layer Protocol"]}, "groups": ["syslog", "telnetd"], "description": "telnetd: Connection refused by TCP Wrappers."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3398, "level": 6, "status": "enabled", "details": {"if_sid": "3395", "match": "MAIL|does not resolve to address"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Illegal address from unknown sender"}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3302, "level": 6, "status": "enabled", "details": {"if_sid": "3300", "id": "^550$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Rejected by access list (Requested action not taken)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5404, "level": 10, "status": "enabled", "details": {"if_sid": "5401", "match": "3 incorrect password attempts"}, "pci_dss": ["10.2.4", "10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Three failed attempts to run sudo"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2502, "level": 10, "status": "enabled", "details": {"match": "more authentication failures;|REPEATED login failures"}, "pci_dss": ["10.2.4", "10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failed", "syslog", "access_control"], "description": "syslog: User missed the password more than one time"}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5103, "level": 9, "status": "enabled", "details": {"if_sid": "5100", "match": "Oversized packet received from"}, "gdpr": ["IV_35.7.d"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["syslog", "linuxkernel"], "description": "Error message from the kernel. Ping of death attack."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3191, "level": 6, "status": "enabled", "details": {"if_sid": "3190", "match": "^sender check failed|^sender check tempfailed"}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["smf-sav", "spam", "syslog", "sendmail"], "description": "sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED)."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5401, "level": 5, "status": "enabled", "details": {"if_sid": "5400", "match": "incorrect password attempt"}, "pci_dss": ["10.2.4", "10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Failed attempt to run sudo."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3354, "level": 12, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "if_matched_sid": "3304", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple misuse of SMTP service (bad sequence of commands)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4342, "level": 8, "status": "enabled", "details": {"if_sid": "4314", "id": "^5-502101|^5-502102"}, "pci_dss": ["8.1.2", "10.2.5"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.a.2.I", "164.312.a.2.II", "164.312.b"], "nist_800_53": ["AC.2", "IA.4", "AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Defense Evasion", "Initial Access"], "id": ["T1089", "T1133"], "technique": ["Disabling Security Tools", "External Remote Services"]}, "groups": ["adduser", "account_changed", "syslog", "pix"], "description": "PIX: User created or modified on the Firewall."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3102, "level": 5, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=451 4.1.8 "}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Sender domain does not have any valid MX record (Requested action aborted)."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3154, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3105", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0085-pam_rules.xml", "relative_dirname": "ruleset/rules", "id": 5501, "level": 3, "status": "enabled", "details": {"if_sid": "5500", "match": "session opened for user "}, "pci_dss": ["10.2.5"], "gpg13": ["7.8", "7.9"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "pam", "syslog"], "description": "PAM: Login session opened."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3304, "level": 5, "status": "enabled", "details": {"if_sid": "3300", "id": "^503$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands)."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3152, "level": 6, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3103", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple attempts to send e-mail from a previously rejected sender (access)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3303, "level": 5, "status": "enabled", "details": {"if_sid": "3300", "id": "^450$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Sender domain is not found (450: Requested mail action not taken)."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4340, "level": 8, "status": "enabled", "details": {"if_sid": "4314", "id": "^5-111005|^5-111004|^5-111002|^5-111007"}, "pci_dss": ["1.1.1", "10.4"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1", "164.312.b"], "nist_800_53": ["CM.3", "CM.5", "AU.8"], "tsc": ["CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Defense Evasion"], "id": ["T1089"], "technique": ["Disabling Security Tools"]}, "groups": ["config_changed", "syslog", "pix"], "description": "PIX: Firewall configuration changed."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3396, "level": 6, "status": "enabled", "details": {"if_sid": "3395", "match": "verification"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: hostname verification failed"}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4335, "level": 3, "status": "enabled", "details": {"if_sid": "4314", "id": "^6-113004"}, "pci_dss": ["10.2.5"], "gpg13": ["7.1", "7.2"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "pix"], "description": "PIX: AAA (VPN) authentication successful."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2833, "level": 8, "status": "enabled", "details": {"if_sid": "2832", "match": "^(root)"}, "pci_dss": ["10.2.7", "10.6.1", "10.2.2"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AU.6", "AC.6"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "cron"], "description": "Root's crontab entry changed."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3103, "level": 6, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=550 5.0.0 |reject=553 5.3.0"}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Rejected by access list (55x: Requested action not taken)."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2961, "level": 5, "status": "enabled", "details": {"if_sid": "2960", "group": "sudo"}, "gpg13": ["7.9", "4.13"], "gdpr": ["IV_32.2"], "mitre": {"tactic": ["Persistence"], "id": ["T1136"], "technique": ["Create Account"]}, "groups": ["syslog", "yum"], "description": "User added to group sudo."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3351, "level": 6, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "90", "if_matched_sid": "3301", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple relaying attempts of spam."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5304, "level": 3, "status": "enabled", "details": {"if_sid": "5300", "regex": ["session opened for user|succeeded for|", "^+|^S+ to |^SU S+ S+ + "]}, "pci_dss": ["10.2.5"], "gpg13": ["7.6", "7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "su"], "description": "User successfully changed UID."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0050-ms-exchange_rules.xml", "relative_dirname": "ruleset/rules", "id": 3851, "level": 9, "status": "enabled", "details": {"frequency": "12", "timeframe": "120", "ignore": "120", "if_matched_sid": "3801", "same_source_ip": ""}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "ms", "exchange"], "description": "ms-exchange: Multiple e-mail attempts to an invalid account."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5132, "level": 11, "status": "enabled", "details": {"if_sid": "5100", "match": "module verification failed"}, "mitre": {"tactic": ["Persistence"], "id": ["T1215"], "technique": ["Kernel Modules and Extensions"]}, "groups": ["syslog", "linuxkernel"], "description": "Unsigned kernel module was loaded"}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0090-telnetd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5631, "level": 10, "status": "enabled", "details": {"frequency": "6", "timeframe": "120", "if_matched_sid": "5602", "same_source_ip": ""}, "gdpr": ["IV_35.7.d", "IV_32.2"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["syslog", "telnetd"], "description": "telnetd: Multiple connection attempts from same source (possible scan)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4339, "level": 8, "status": "enabled", "details": {"if_sid": "4314", "id": "^5-111003"}, "pci_dss": ["1.1.1", "10.4"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1", "164.312.b"], "nist_800_53": ["CM.3", "CM.5", "AU.8"], "tsc": ["CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Defense Evasion"], "id": ["T1089"], "technique": ["Disabling Security Tools"]}, "groups": ["config_changed", "syslog", "pix"], "description": "PIX: Firewall configuration deleted."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0095-sshd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5701, "level": 8, "status": "enabled", "details": {"if_sid": "5700", "match": "Bad protocol version identification"}, "pci_dss": ["11.4"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1190"], "technique": ["Exploit Public-Facing Application"]}, "groups": ["recon", "syslog", "sshd"], "description": "sshd: Possible attack on the ssh server (or version gathering)."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0040-imapd_rules.xml", "relative_dirname": "ruleset/rules", "id": 3651, "level": 10, "status": "enabled", "details": {"frequency": "$IMAPD_FREQ", "timeframe": "120", "if_matched_sid": "3601", "same_source_ip": ""}, "pci_dss": ["10.2.4", "10.2.5", "11.4"], "gpg13": ["7.1"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failures", "syslog", "imapd"], "description": "Imapd Multiple failed logins from same source ip."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5407, "level": 3, "status": "enabled", "details": {"if_sid": "5400", "regex": " ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND="}, "pci_dss": ["10.2.5", "10.2.2"], "gpg13": ["7.6", "7.8", "7.13"], "gdpr": ["IV_32.2"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Successful sudo executed."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3155, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3106", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple attempts to send e-mail from invalid/unknown sender."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3156, "level": 10, "status": "enabled", "details": {"frequency": "12", "timeframe": "120", "if_matched_sid": "3107", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple rejected e-mails from same source ip."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0055-courier_rules.xml", "relative_dirname": "ruleset/rules", "id": 3911, "level": 10, "status": "enabled", "details": {"frequency": "17", "timeframe": "30", "if_matched_sid": "3901", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["recon", "syslog", "courier"], "description": "Courier: Multiple connection attempts from same source."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 1003, "level": 13, "status": "enabled", "details": {"maxsize": "1025", "noalert": "1"}, "gpg13": ["4.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["syslog", "errors"], "description": "Non standard syslog message (size too large)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0080-sonicwall_rules.xml", "relative_dirname": "ruleset/rules", "id": 4810, "level": 3, "status": "enabled", "details": {"if_sid": "4806", "id": "^236$"}, "pci_dss": ["10.2.5"], "gpg13": ["3.6"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "sonicwall"], "description": "SonicWall: Firewall administrator login."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4509, "level": 8, "status": "enabled", "details": {"if_sid": "4504", "id": "^00767"}, "pci_dss": ["1.1.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1"], "nist_800_53": ["CM.3", "CM.5"], "tsc": ["CC8.1"], "mitre": {"tactic": ["Defense Evasion"], "id": ["T1089"], "technique": ["Disabling Security Tools"]}, "groups": ["config_changed", "netscreenfw"], "description": "Netscreen firewall: configuration changed."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2503, "level": 5, "status": "enabled", "details": {"regex": ["^refused connect from|", "^libwrap refused connection|", "Connection from S+ denied"]}, "pci_dss": ["10.2.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Command and Control"], "id": ["T1095"], "technique": ["Standard Non-Application Layer Protocol"]}, "groups": ["access_denied", "syslog", "access_control"], "description": "syslog: Connection blocked by Tcp Wrappers."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3352, "level": 6, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "if_matched_sid": "3302", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple attempts to send e-mail from a rejected sender IP (access)."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0095-sshd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5706, "level": 6, "status": "enabled", "details": {"if_sid": "5700", "match": "Did not receive identification string from"}, "pci_dss": ["11.4"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Command and Control"], "id": ["T1043"], "technique": ["Commonly Used Port"]}, "groups": ["recon", "syslog", "sshd"], "description": "sshd: insecure connection attempt (scan)."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5303, "level": 3, "status": "enabled", "details": {"if_sid": "5300", "regex": ["session opened for user root|^'su root'|", "^+ S+ S+proot$|^S+ to root on|^SU S+ S+ + S+ S+-root$"]}, "pci_dss": ["10.2.5"], "gpg13": ["7.6", "7.8", "7.9"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "su"], "description": "User successfully changed UID to root."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4323, "level": 3, "status": "enabled", "details": {"if_sid": "4314", "id": "^6-605005"}, "pci_dss": ["10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "pix"], "description": "PIX: Successful login."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2504, "level": 9, "status": "enabled", "details": {"match": "ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED"}, "pci_dss": ["10.2.4", "10.2.5", "10.2.2"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "AC.6"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["invalid_login", "syslog", "access_control"], "description": "syslog: Illegal root login."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5113, "level": 7, "status": "enabled", "details": {"if_sid": "5100", "match": "Kernel log daemon terminating"}, "pci_dss": ["10.6.1"], "gpg13": ["4.14"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1529"], "technique": ["System Shutdown/Reboot"]}, "groups": ["system_shutdown", "syslog", "linuxkernel"], "description": "System is shutting down."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2301, "level": 10, "status": "enabled", "details": {"match": "^Deactivating service "}, "pci_dss": ["10.6.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["syslog", "xinetd"], "description": "xinetd: Excessive number connections to a service."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3301, "level": 6, "status": "enabled", "details": {"if_sid": "3300", "id": "^554$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Attempt to use mail server as relay (client host rejected)."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5405, "level": 5, "status": "enabled", "details": {"if_sid": "5400", "match": "user NOT in sudoers"}, "pci_dss": ["10.2.2", "10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.6", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Unauthorized user attempted to use sudo."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4505, "level": 11, "status": "enabled", "details": {"if_sid": "4503", "id": "^00027"}, "pci_dss": ["1.4", "10.6.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1", "164.312.b"], "nist_800_53": ["SC.7", "AU.6"], "tsc": ["CC6.7", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1485"], "technique": ["Data Destruction"]}, "groups": ["service_availability", "netscreenfw"], "description": "Netscreen Erase sequence started."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0095-sshd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5705, "level": 10, "status": "enabled", "details": {"frequency": "6", "timeframe": "360", "if_matched_sid": "5704"}, "pci_dss": ["11.4"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access", "Credential Access"], "id": ["T1190", "T1110"], "technique": ["Exploit Public-Facing Application", "Brute Force"]}, "groups": ["syslog", "sshd"], "description": "sshd: Possible scan or breakin attempt (high number of login timeouts)."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0055-courier_rules.xml", "relative_dirname": "ruleset/rules", "id": 3904, "level": 3, "status": "enabled", "details": {"if_sid": "3900", "match": "^LOGIN,"}, "pci_dss": ["10.2.5"], "gpg13": ["7.1", "7.2"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "courier"], "description": "Courier (imap/pop3) authentication success."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2964, "level": 10, "status": "enabled", "details": {"frequency": "4", "timeframe": "30", "if_matched_sid": "2963", "same_source_ip": ""}, "pci_dss": ["11.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["recon", "syslog", "perdition"], "description": "perdition: Multiple connection attempts from same source."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3330, "level": 10, "status": "enabled", "details": {"ignore": "240", "if_sid": "3320", "match": ["defer service failure|Resource temporarily unavailable|", "^fatal: the Postfix mail system is not running"]}, "pci_dss": ["10.6.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["service_availability", "syslog", "postfix"], "description": "Postfix process error."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3106, "level": 5, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=553 5.5.4 "}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Sender address does not have domain (553: Requested action not taken)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4337, "level": 8, "status": "enabled", "details": {"if_sid": "4312", "id": "^3-201008"}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1133"], "technique": ["External Remote Services"]}, "groups": ["service_availability", "syslog", "pix"], "description": "PIX: The PIX is disallowing new connections."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3104, "level": 6, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=550 5.7.1 "}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Attempt to use mail server as relay (550: Requested action not taken)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5108, "level": 12, "status": "enabled", "details": {"if_sid": "5100", "match": "Out of Memory: "}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["service_availability", "syslog", "linuxkernel"], "description": "System running out of memory. Availability of the system is in risk."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4336, "level": 8, "status": "enabled", "details": {"if_sid": "4314", "id": "^6-113006"}, "pci_dss": ["10.2.4", "10.2.5"], "gpg13": ["7.1", "7.5"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1133"], "technique": ["External Remote Services"]}, "groups": ["authentication_failed", "syslog", "pix"], "description": "PIX: AAA (VPN) user locked out."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3355, "level": 10, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "if_matched_sid": "3305", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3397, "level": 6, "status": "enabled", "details": {"if_sid": "3395", "match": "RBL"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: RBL lookup error: Host or domain name not found"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3305, "level": 5, "status": "enabled", "details": {"if_sid": "3300", "id": "^504$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Recipient address must contain FQDN (504: Command parameter not implemented)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3356, "level": 10, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "ignore": "30", "if_matched_sid": "3306", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5133, "level": 11, "status": "enabled", "details": {"if_sid": "5100", "match": "PKCS#7 signature not signed with a trusted key"}, "mitre": {"tactic": ["Persistence"], "id": ["T1215"], "technique": ["Kernel Modules and Extensions"]}, "groups": ["syslog", "linuxkernel"], "description": "Signed but untrusted kernel module was loaded"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3357, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "ignore": "60", "if_matched_sid": "3332", "same_source_ip": ""}, "pci_dss": ["10.2.4", "10.2.5", "11.4"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failures", "syslog", "postfix"], "description": "Postfix: Multiple SASL authentication failures."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2551, "level": 10, "status": "enabled", "details": {"if_sid": "2550", "regex": "^Connection from S+ on illegal port$"}, "pci_dss": ["10.6.1"], "gpg13": ["7.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Discovery"], "id": ["T1046"], "technique": ["Network Service Scanning"]}, "groups": ["connection_attempt", "syslog", "access_control"], "description": "Connection to rshd from unprivileged port. Possible network scan."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0055-courier_rules.xml", "relative_dirname": "ruleset/rules", "id": 3910, "level": 10, "status": "enabled", "details": {"frequency": "12", "timeframe": "30", "if_matched_sid": "3902", "same_source_ip": ""}, "pci_dss": ["10.2.4", "10.2.5", "11.4"], "gpg13": ["7.1"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failures", "syslog", "courier"], "description": "Courier brute force (multiple failed logins)."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4325, "level": 8, "status": "enabled", "details": {"if_sid": "4313", "id": "^4-405001"}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Command and Control"], "id": ["T1095"], "technique": ["Standard Non-Application Layer Protocol"]}, "groups": ["syslog", "pix"], "description": "PIX: ARP collision detected."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5104, "level": 8, "status": "enabled", "details": {"if_sid": "5100", "regex": ["Promiscuous mode enabled|", "device S+ entered promiscuous mode"]}, "pci_dss": ["10.6.1", "11.4"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Discovery"], "id": ["T1040"], "technique": ["Network Sniffing"]}, "groups": ["promisc", "syslog", "linuxkernel"], "description": "Interface entered in promiscuous(sniffing) mode."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0085-pam_rules.xml", "relative_dirname": "ruleset/rules", "id": 5551, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "180", "if_matched_sid": "5503", "same_source_ip": ""}, "pci_dss": ["10.2.4", "10.2.5", "11.4"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failures", "pam", "syslog"], "description": "PAM: Multiple failed logins in a small period of time."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} +{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3335, "level": 6, "status": "enabled", "details": {"if_sid": "3320", "match": "^too many "}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: too many errors after RCPT from unknown"}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} diff --git a/release-notes/wazuh.release-notes-4.9.1.md b/release-notes/wazuh.release-notes-4.9.1.md new file mode 100644 index 0000000000000..16a3f82a18226 --- /dev/null +++ b/release-notes/wazuh.release-notes-4.9.1.md @@ -0,0 +1,19 @@ +## 2024-10-15 Version 4.9.1 Release Notes + +## [4.9.1] +### Added +- + +### Dependencies +- + +### Changed +* Update SECURITY.md in https://github.com/wazuh/wazuh-indexer/pull/415 +* Change the date in the RPM spec file to avoid packaging errors in https://github.com/wazuh/wazuh-indexer/pull/338 +* Upgrade third-party integrations to the latest product versions in https://github.com/wazuh/wazuh-indexer/pull/368 +* Remove unused fields from the vulnerabilities index template in https://github.com/wazuh/wazuh-indexer/pull/369 +* Update RPM spec file to avoid overwriting modified config files in https://github.com/wazuh/wazuh-indexer/pull/410 + +### Fixed +* Fix Splunk integration dashboards in https://github.com/wazuh/wazuh-indexer/pull/362 +* Fix Performance Analyzer service file in https://github.com/wazuh/wazuh-indexer/pull/391 diff --git a/scripts/build.sh b/scripts/build.sh deleted file mode 100755 index a0917776507be..0000000000000 --- a/scripts/build.sh +++ /dev/null @@ -1,161 +0,0 @@ -#!/bin/bash - -# Copyright OpenSearch Contributors -# SPDX-License-Identifier: Apache-2.0 -# -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -set -ex - -function usage() { - echo "Usage: $0 [args]" - echo "" - echo "Arguments:" - echo -e "-v VERSION\t[Required] OpenSearch version." - echo -e "-q QUALIFIER\t[Optional] Version qualifier." - echo -e "-s SNAPSHOT\t[Optional] Build a snapshot, default is 'false'." - echo -e "-p PLATFORM\t[Optional] Platform, default is 'uname -s'." - echo -e "-a ARCHITECTURE\t[Optional] Build architecture, default is 'uname -m'." - echo -e "-d DISTRIBUTION\t[Optional] Distribution, default is 'tar'." - echo -e "-o OUTPUT\t[Optional] Output path, default is 'artifacts'." - echo -e "-h help" -} - -while getopts ":h:v:q:s:o:p:a:d:" arg; do - case $arg in - h) - usage - exit 1 - ;; - v) - VERSION=$OPTARG - ;; - q) - QUALIFIER=$OPTARG - ;; - s) - SNAPSHOT=$OPTARG - ;; - o) - OUTPUT=$OPTARG - ;; - p) - PLATFORM=$OPTARG - ;; - a) - ARCHITECTURE=$OPTARG - ;; - d) - DISTRIBUTION=$OPTARG - ;; - :) - echo "Error: -${OPTARG} requires an argument" - usage - exit 1 - ;; - ?) - echo "Invalid option: -${arg}" - exit 1 - ;; - esac -done - -if [ -z "$VERSION" ]; then - echo "Error: You must specify the OpenSearch version" - usage - exit 1 -fi - -[ -z "$OUTPUT" ] && OUTPUT=artifacts - -mkdir -p $OUTPUT/maven/org/opensearch - -# Build project and publish to maven local. -./gradlew publishToMavenLocal -Dbuild.snapshot=$SNAPSHOT -Dbuild.version_qualifier=$QUALIFIER - -# Publish to existing test repo, using this to stage release versions of the artifacts that can be released from the same build. -./gradlew publishNebulaPublicationToTestRepository -Dbuild.snapshot=$SNAPSHOT -Dbuild.version_qualifier=$QUALIFIER - -# Copy maven publications to be promoted -cp -r ./build/local-test-repo/org/opensearch "${OUTPUT}"/maven/org - -# Assemble distribution artifact -# see https://github.com/opensearch-project/OpenSearch/blob/main/settings.gradle#L34 for other distribution targets - -[ -z "$PLATFORM" ] && PLATFORM=$(uname -s | awk '{print tolower($0)}') -[ -z "$ARCHITECTURE" ] && ARCHITECTURE=`uname -m` -[ -z "$DISTRIBUTION" ] && DISTRIBUTION="tar" - -case $PLATFORM-$DISTRIBUTION-$ARCHITECTURE in - linux-tar-x64|darwin-tar-x64) - PACKAGE="tar" - EXT="tar.gz" - TYPE="archives" - TARGET="$PLATFORM-$PACKAGE" - SUFFIX="$PLATFORM-x64" - ;; - linux-tar-arm64|darwin-tar-arm64) - PACKAGE="tar" - EXT="tar.gz" - TYPE="archives" - TARGET="$PLATFORM-arm64-$PACKAGE" - SUFFIX="$PLATFORM-arm64" - ;; - linux-rpm-x64) - PACKAGE="rpm" - EXT="rpm" - TYPE="packages" - TARGET="rpm" - SUFFIX="x86_64" - ;; - linux-rpm-arm64) - PACKAGE="rpm" - EXT="rpm" - TYPE="packages" - TARGET="arm64-rpm" - SUFFIX="aarch64" - ;; - windows-zip-x64) - PACKAGE="zip" - EXT="zip" - TYPE="archives" - TARGET="$PLATFORM-$PACKAGE" - SUFFIX="$PLATFORM-x64" - ;; - windows-zip-arm64) - PACKAGE="zip" - EXT="zip" - TYPE="archives" - TARGET="$PLATFORM-arm64-$PACKAGE" - SUFFIX="$PLATFORM-arm64" - ;; - *) - echo "Unsupported platform-distribution-architecture combination: $PLATFORM-$DISTRIBUTION-$ARCHITECTURE" - exit 1 - ;; -esac - -echo "Building OpenSearch for $PLATFORM-$DISTRIBUTION-$ARCHITECTURE" - -./gradlew :distribution:$TYPE:$TARGET:assemble -Dbuild.snapshot=$SNAPSHOT -Dbuild.version_qualifier=$QUALIFIER - -# Copy artifact to dist folder in bundle build output -[[ "$SNAPSHOT" == "true" ]] && IDENTIFIER="-SNAPSHOT" -ARTIFACT_BUILD_NAME=`ls distribution/$TYPE/$TARGET/build/distributions/ | grep "opensearch-min.*$SUFFIX.$EXT"` -mkdir -p "${OUTPUT}/dist" -cp distribution/$TYPE/$TARGET/build/distributions/$ARTIFACT_BUILD_NAME "${OUTPUT}"/dist/$ARTIFACT_BUILD_NAME - -echo "Building core plugins..." -mkdir -p "${OUTPUT}/core-plugins" -cd plugins -../gradlew assemble -Dbuild.snapshot="$SNAPSHOT" -Dbuild.version_qualifier=$QUALIFIER -cd .. -for plugin in plugins/*; do - PLUGIN_NAME=$(basename "$plugin") - if [ -d "$plugin" ] && [ "examples" != "$PLUGIN_NAME" ]; then - PLUGIN_ARTIFACT_BUILD_NAME=`ls "$plugin"/build/distributions/ | grep "$PLUGIN_NAME.*$IDENTIFIER.zip"` - cp "$plugin"/build/distributions/"$PLUGIN_ARTIFACT_BUILD_NAME" "${OUTPUT}"/core-plugins/"$PLUGIN_ARTIFACT_BUILD_NAME" - fi -done diff --git a/settings.gradle b/settings.gradle index b79c2aee135fc..7cbc3694c03a6 100644 --- a/settings.gradle +++ b/settings.gradle @@ -21,7 +21,7 @@ buildCache { } } -rootProject.name = "OpenSearch" +rootProject.name = "Wazuh indexer" include 'doc-tools' includeBuild("doc-tools/missing-doclet") diff --git a/test-tools/README.md b/test-tools/README.md new file mode 100644 index 0000000000000..3db416533fbba --- /dev/null +++ b/test-tools/README.md @@ -0,0 +1,41 @@ +# Basic cluster environment + +This is an environment definition with the required configuration to be prepared to freshly install a Wazuh Indexer +cluster with two nodes using Vagrant and Libvirt to provision the Virtual Machines. + +It also generates the node's required certificates using the `wazuh-certs-tool` and copy them to each node's `home` +directory, leaving a copy in `test-tools/basic_env`. + +### Prerequisites + +1. Download and install Vagrant ([source](https://developer.hashicorp.com/vagrant/downloads)) +2. Install vagrant-libvirt ([source](https://vagrant-libvirt.github.io/vagrant-libvirt/installation.html)) + > In some cases you must also install `libvirt-dev` + +## Usage + +1. Navigate to the environment's root directory + ```bash + cd test-tools/basic_env + ``` +2. Initialize the environment + ```bash + vagrant up + ``` +3. Connect to the different systems + ```bash + vagrant ssh indexer_[1|2] + ``` + +### Cleanup + +After the testing session is complete you can stop or destroy the environment as you wish: + +- Stop the environment: + ```bash + vagrant halt + ``` +- Destroy the environment: + ```bash + vagrant destroy -f + ``` diff --git a/test-tools/Vagrantfile b/test-tools/Vagrantfile new file mode 100644 index 0000000000000..b922ddc66cf21 --- /dev/null +++ b/test-tools/Vagrantfile @@ -0,0 +1,54 @@ +system(" + if [ #{ARGV[0]} = 'up' ]; then + echo 'Executing pre-start script.' + bash ./pre-start.sh + fi +") + +Vagrant.configure("2") do |config| + config.vm.define "indexer_1" do |indexer_1| + indexer_1.vm.box = "generic/alma9" + indexer_1.vm.synced_folder ".", "/vagrant" + indexer_1.vm.network "private_network", ip: "192.168.56.10" + indexer_1.vm.hostname = "node-1" + indexer_1.vm.provider "libvirt" do |vb| + vb.memory = "4096" + vb.cpus = "4" + end + indexer_1.vm.provision "shell", inline: <<-SHELL + systemctl stop firewalld + systemctl disable firewalld + yum clean all + yum install curl jq unzip tar -y + # Add node-2 to /etc/hosts + echo "192.168.56.11 node-2" >> /etc/hosts + # Copy generated certificates + cp /vagrant/wazuh-certificates.tar /home/vagrant/wazuh-certificates.tar + # Copy test scripts + cp -r /vagrant/scripts /home/vagrant/scripts + chown -R vagrant:vagrant /home/vagrant/scripts + SHELL + end + config.vm.define "indexer_2" do |indexer_2| + indexer_2.vm.box = "generic/ubuntu2204" + indexer_2.vm.synced_folder ".", "/vagrant" + indexer_2.vm.network "private_network", ip: "192.168.56.11" + indexer_2.vm.hostname = "node-2" + indexer_2.vm.provider "libvirt" do |vb| + vb.memory = "4096" + vb.cpus = "4" + end + indexer_2.vm.provision "shell", inline: <<-SHELL + systemctl stop ufw + systemctl disable ufw + apt-get install curl jq unzip tar -y + # Add node-1 to /etc/hosts + echo "192.168.56.10 node-1" >> /etc/hosts + # Copy generated certificates + cp /vagrant/wazuh-certificates.tar /home/vagrant/wazuh-certificates.tar + # Copy test scripts + cp -r /vagrant/scripts /home/vagrant/scripts + chown -R vagrant:vagrant /home/vagrant/scripts + SHELL + end +end diff --git a/test-tools/config.yml b/test-tools/config.yml new file mode 100644 index 0000000000000..904bf09631351 --- /dev/null +++ b/test-tools/config.yml @@ -0,0 +1,7 @@ +nodes: + # Wazuh indexer nodes + indexer: + - name: node-1 + ip: "192.168.56.10" + - name: node-2 + ip: "192.168.56.11" diff --git a/test-tools/pre-start.sh b/test-tools/pre-start.sh new file mode 100644 index 0000000000000..e0e1d4b7ac251 --- /dev/null +++ b/test-tools/pre-start.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +# SPDX-License-Identifier: Apache-2.0 +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +# Download the Wazuh certs tool +curl -sO https://packages.wazuh.com/4.9/wazuh-certs-tool.sh + +# Make the script executable +chmod +x ./wazuh-certs-tool.sh + +# Run the Wazuh certs tool +OPENSSL_CONF="/etc/ssl/openssl.cnf" ./wazuh-certs-tool.sh -A + +# Create a tarball of the generated certificates +tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ . + +# Clean up +rm -rf ./wazuh-certificates wazuh-certs-tool.sh *.log + +echo "Setup complete and certificates archived." diff --git a/test-tools/scripts/00_run.sh b/test-tools/scripts/00_run.sh new file mode 100644 index 0000000000000..085cd85b9e86c --- /dev/null +++ b/test-tools/scripts/00_run.sh @@ -0,0 +1,88 @@ +#!/bin/bash + +# Prompt the user for GitHub Token and artifact details securely +if [ -z "$GITHUB_TOKEN" ]; then + read -rsp 'Enter GitHub Token: ' GITHUB_TOKEN + echo "" +fi +export GITHUB_TOKEN + +if [ -z "$RUN_ID" ]; then + read -rp 'Enter Action Run ID: ' RUN_ID +fi +export RUN_ID + +if [ -z "$ARTIFACT_NAME" ]; then + read -rp 'Enter Artifact Name: ' ARTIFACT_NAME +fi +export ARTIFACT_NAME + +# Define environment variables with default values if not provided +read -rp "Enter current node name (default: 'node-1'): " NODE_NAME +export NODE_NAME=${NODE_NAME:-"node-1"} + +IP_ADDRESS=$(ip addr show eth1 2>/dev/null | grep 'inet ' | awk '{print $2}' | cut -d/ -f1) +if [ -z "$IP_ADDRESS" ]; then + IP_ADDRESS="127.0.0.1" +fi +read -rp "Enter IP of current node (default: '$IP_ADDRESS'): " NODE_IP +export NODE_IP=${NODE_IP:-$IP_ADDRESS} + +export CERTS_PATH=${CERTS_PATH:-"/home/vagrant/wazuh-certificates.tar"} + +# Optional variables for Node 2 +read -rp 'Enter secondary Node name (optional): ' NODE_2 +read -rp 'Enter IP of secondary Node (optional): ' IP_NODE_2 + +# Logging function with timestamps +log() { + echo "$(date +'%Y-%m-%d %H:%M:%S') - $1" +} + +# Function to run a command and check for errors +run_command() { + local cmd=$1 + log "Executing: $cmd" + if ! eval "$cmd"; then + log "Error executing: $cmd" + exit 1 + else + log "Successfully executed: $cmd" + fi +} + +# Main execution +log "Starting the script execution" + +run_command "bash 01_download_and_install_package.sh -id $RUN_ID -n $ARTIFACT_NAME" + +# Apply certificates +if [ -n "$NODE_2" ] && [ -n "$IP_NODE_2" ]; then + run_command "sudo bash 02_apply_certificates.sh -p $CERTS_PATH -n $NODE_NAME -nip $NODE_IP -s $NODE_2 -sip $IP_NODE_2" +else + run_command "sudo bash 02_apply_certificates.sh -p $CERTS_PATH -n $NODE_NAME -nip $NODE_IP" +fi + +# Start indexer service +run_command "sudo bash 03_manage_indexer_service.sh -a start" + +# Initialize cluster (assumes this step doesn't depend on Node 2 presence) +run_command "sudo bash 04_initialize_cluster.sh" +sleep 10 + +# Validate installed plugins +if [ -n "$NODE_2" ]; then + run_command "bash 05_validate_installed_plugins.sh -n $NODE_NAME -n $NODE_2" +else + run_command "bash 05_validate_installed_plugins.sh -n $NODE_NAME" +fi + +# Validate setup and command manager +run_command "bash 06_validate_setup.sh" +run_command "bash 07_validate_command_manager.sh" + +# Uninstall indexer +log "Running 08_uninstall_indexer.sh" +run_command "sudo bash 08_uninstall_indexer.sh" + +log "All tasks completed successfully." diff --git a/test-tools/scripts/01_download_and_install_package.sh b/test-tools/scripts/01_download_and_install_package.sh new file mode 100644 index 0000000000000..b57f916ddefda --- /dev/null +++ b/test-tools/scripts/01_download_and_install_package.sh @@ -0,0 +1,173 @@ +#!/bin/bash + +# SPDX-License-Identifier: Apache-2.0 +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +# Tool dependencies +DEPENDENCIES=(curl jq unzip) +# Default package revision +PKG_REVISION="0" +# Wazuh indexer repository +REPO="wazuh/wazuh-indexer" + +# Function to display usage help +usage() { + echo "Usage: $0 --run-id [-v ] [-r ] [-n ]" + echo + echo "Parameters:" + echo " -id, --run-id The GHA workflow execution ID." + echo " -v, --version (Optional) The version of the wazuh-indexer package." + echo " -r, --revision (Optional) The revision of the package. Defaults to '0' if not provided." + echo " -n, --name (Optional) The package name. If not provided, it will be configured based on version and revision." + echo + echo "Please ensure you have the GITHUB_TOKEN environment variable set to access the GitHub repository, and all the dependencies installed: " "${DEPENDENCIES[@]}" + exit 1 +} + +# Parse named parameters +while [[ "$#" -gt 0 ]]; do + case $1 in + --artifact-id|-id) RUN_ID="$2"; shift ;; + --version|-v) PKG_VERSION="$2"; shift ;; + --revision|-r) PKG_REVISION="$2"; shift ;; + --name|-n) PKG_NAME="$2"; shift ;; + -h|--help) usage ;; + *) echo "Unknown parameter passed: $1"; usage ;; + esac + shift +done + +# Validate all dependencies are installed +for dep in "${DEPENDENCIES[@]}" +do + if ! command -v "${dep}" &> /dev/null + then + echo "Error: Dependency '$dep' is not installed. Please install $dep and try again." >&2 + exit 1 + fi +done + +# Check if RUN_ID is provided +if [ -z "$RUN_ID" ]; then + echo "Error: RUN_ID is required." + usage +fi + +# Validate GITHUB_TOKEN environment variable +if [ -z "$GITHUB_TOKEN" ]; then + echo "Please ensure you have the GITHUB_TOKEN environment variable set to access the GitHub repository." + exit 1 +fi + +# Ensure either PKG_NAME or both PKG_VERSION and PKG_REVISION are provided +if [ -z "$PKG_NAME" ] && { [ -z "$PKG_VERSION" ] || [ -z "$PKG_REVISION" ]; }; then + echo "Error: Either a package name (--name) or both a version (--version) and revision (--revision) must be provided." + usage +fi + +# Detect OS and architecture +if [ -f /etc/os-release ]; then + . /etc/os-release + OS=$(echo "$NAME" | tr '[:upper:]' '[:lower:]') +else + echo "Unsupported OS." + exit 1 +fi + +# Determine package type if PKG_NAME is not provided +ARCH=$(uname -m) +case "$OS" in + *ubuntu* | *debian*) + PKG_FORMAT="deb" + if [ -z "$PKG_NAME" ]; then + [ "$ARCH" == "x86_64" ] && ARCH="amd64" + [ "$ARCH" == "aarch64" ] && ARCH="arm64" + PKG_NAME="wazuh-indexer_${PKG_VERSION}-${PKG_REVISION}_${ARCH}.${PKG_FORMAT}" + fi + ;; + *centos* | *fedora* | *rhel* | *"red hat"* | *alma*) + PKG_FORMAT="rpm" + if [ -z "$PKG_NAME" ]; then + PKG_NAME="wazuh-indexer-${PKG_VERSION}-${PKG_REVISION}.${ARCH}.${PKG_FORMAT}" + fi + ;; + *) + echo "Unsupported OS." + exit 1 + ;; +esac + +# Check if the package is already present +if [ -f "$PKG_NAME" ]; then + echo "Package $PKG_NAME found locally. Reusing existing package." +else + # Fetch the list of artifacts + echo "Fetching artifacts list..." + RUN_URL="https://api.github.com/repos/${REPO}/actions/artifacts" + RESPONSE=$(curl -s -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $GITHUB_TOKEN" -H "X-GitHub-Api-Version: 2022-11-28" "$RUN_URL?name=$PKG_NAME") + + # Check if the curl command was successful + if [ $? -ne 0 ]; then + echo "Error: Failed to fetch artifacts." + exit 1 + fi + + # Check if the artifact from the specified workflow run ID exists + echo "Checking ${PKG_NAME} package is generated for workflow run ${RUN_ID}" + ARTIFACT=$(echo "$RESPONSE" | jq -e ".artifacts[] | select(.workflow_run.id == $RUN_ID)") + + if [ -z "$ARTIFACT" ]; then + echo "Error: Wazuh indexer package not found." + exit 1 + fi + + ARTIFACT_ID=$(echo "$ARTIFACT" | jq -r '.id') + echo "Wazuh indexer artifact detected. Artifact ID: $ARTIFACT_ID" + + # Download the package + ARTIFACT_URL="https://api.github.com/repos/${REPO}/actions/artifacts/${ARTIFACT_ID}/zip" + echo "Downloading wazuh-indexer package from GitHub artifactory..." + echo "(It could take a couple of minutes)" + + if ! curl -L -H "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer $GITHUB_TOKEN" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "$ARTIFACT_URL" -o package.zip > /dev/null 2>&1; then + echo "Error downloading package." + exit 1 + fi + echo "Package downloaded successfully" + + # Unzip the package + echo "Decompressing wazuh-indexer package..." + unzip ./package.zip + rm package.zip + + # shellcheck disable=SC2181 + if [ $? -ne 0 ]; then + echo "Error unzipping package." + exit 1 + fi + echo "Package decompressed" +fi + +# Install the package +echo "Installing wazuh-indexer package..." +case "$PKG_FORMAT" in + "deb") + sudo dpkg -i "$PKG_NAME" > /dev/null 2>&1 + ;; + "rpm") + sudo rpm -i "$PKG_NAME" > /dev/null 2>&1 + ;; +esac + +# shellcheck disable=SC2181 +if [ $? -ne 0 ]; then + echo "Error installing package." + exit 1 +fi + +echo "Package installed successfully." diff --git a/test-tools/scripts/02_apply_certificates.sh b/test-tools/scripts/02_apply_certificates.sh new file mode 100644 index 0000000000000..c754eebf4b10e --- /dev/null +++ b/test-tools/scripts/02_apply_certificates.sh @@ -0,0 +1,117 @@ +#!/bin/bash + +# SPDX-License-Identifier: Apache-2.0 +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +# Tool dependencies +DEPENDENCIES=(tar) + +# Function to display usage help +usage() { + echo "Usage: $0 --path-to-certs --current-node [--second-node ] [--current-node-ip ] [--second-node-ip ]" + echo + echo "Parameters:" + echo " -p, --path-to-certs Path to the generated Wazuh certificates tar" + echo " -n, --current-node Name of the current node" + echo " -s, --second-node (Optional) Name of the second node" + echo " -nip, --current-node-ip (Optional) IP address of the current node. Default: CURRENT_NODE" + echo " -sip, --second-node-ip (Optional) IP address of the second node. Default: SECOND_NODE" + echo + echo "Please ensure you have all the dependencies installed: " "${DEPENDENCIES[@]}" + exit 1 +} + +# Parse named arguments +while [[ "$#" -gt 0 ]]; do + case $1 in + --path-to-certs|-p) PATH_TO_CERTS="$2"; shift ;; + --current-node|-n) CURRENT_NODE="$2"; shift ;; + --second-node|-s) SECOND_NODE="$2"; shift ;; + --current-node-ip|-nip) CURRENT_NODE_IP="$2"; shift ;; + --second-node-ip|-sip) SECOND_NODE_IP="$2"; shift ;; + -h|--help) usage ;; + *) echo "Unknown parameter passed: $1"; usage ;; + esac + shift +done + +# Validate all dependencies are installed +for dep in "${DEPENDENCIES[@]}" +do + if ! command -v ${dep} &> /dev/null + then + echo "Error: Dependency '$dep' is not installed. Please install $dep and try again." >&2 + exit 1 + fi +done + +# Validate mandatory arguments +if [ -z "$PATH_TO_CERTS" ] || [ -z "$CURRENT_NODE" ]; then + echo "Error: Missing mandatory parameter." + usage +fi + +# Set default values if optional arguments are not provided +CURRENT_NODE_IP=${CURRENT_NODE_IP:-$CURRENT_NODE} +SECOND_NODE_IP=${SECOND_NODE_IP:-$SECOND_NODE} +CONFIG_FILE="/etc/wazuh-indexer/opensearch.yml" +BACKUP_FILE="./opensearch.yml.bak" + +# Backup the original config file +echo "Creating a backup of the original config file..." +cp $CONFIG_FILE $BACKUP_FILE + +# Replace values in the config file +echo "Updating configuration..." +sed -i "s/node\.name: \"node-1\"/node.name: \"${CURRENT_NODE}\"/" $CONFIG_FILE + +if [ -n "$SECOND_NODE" ]; then + sed -i "s/#discovery\.seed_hosts:/discovery.seed_hosts:\n - \"${CURRENT_NODE_IP}\"\n - \"${SECOND_NODE_IP}\"/" $CONFIG_FILE + sed -i "/cluster\.initial_master_nodes:/!b;n;c- ${CURRENT_NODE}\n- ${SECOND_NODE}" $CONFIG_FILE + sed -i ':a;N;$!ba;s/plugins\.security\.nodes_dn:\n- "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"/plugins.security.nodes_dn:\n- "CN='"${CURRENT_NODE}"',OU=Wazuh,O=Wazuh,L=California,C=US"\n- "CN='"${SECOND_NODE}"',OU=Wazuh,O=Wazuh,L=California,C=US"/' $CONFIG_FILE +else + sed -i "s/#discovery\.seed_hosts:/discovery.seed_hosts:\n - \"${CURRENT_NODE_IP}\"/" $CONFIG_FILE + sed -i "/cluster\.initial_master_nodes:/!b;n;c- ${CURRENT_NODE}" $CONFIG_FILE + sed -i ':a;N;$!ba;s/plugins\.security\.nodes_dn:\n- "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"/plugins.security.nodes_dn:\n- "CN='"${CURRENT_NODE}"',OU=Wazuh,O=Wazuh,L=California,C=US"/' $CONFIG_FILE +fi + +# shellcheck disable=SC2181 +if [ $? -eq 0 ]; then + echo "Configuration updated successfully. Backup created at ${BACKUP_FILE}" +else + echo "Error updating configuration." + exit 1 +fi + +# Directory for certificates +CERT_DIR="/etc/wazuh-indexer/certs" +if [ -d "$CERT_DIR" ]; then + echo "Certificates directory already exists. Removing it..." + rm -rf +fi +# Extract certificates +echo "Creating certificates directory and extracting certificates..." +mkdir -p $CERT_DIR + +if ! tar -xf "$PATH_TO_CERTS" -C "$CERT_DIR" "./$CURRENT_NODE.pem" "./$CURRENT_NODE-key.pem" "./admin.pem" "./admin-key.pem" "./root-ca.pem" ; then + echo "Error extracting certificates." + exit 1 +fi + +# Move and set permissions for certificates +echo "Moving and setting permissions for certificates..." +mv -n "$CERT_DIR/$CURRENT_NODE.pem" "$CERT_DIR/indexer.pem" +mv -n "$CERT_DIR/$CURRENT_NODE-key.pem" "$CERT_DIR/indexer-key.pem" +chmod 500 "$CERT_DIR" +chmod 400 "$CERT_DIR"/* +chown -R wazuh-indexer:wazuh-indexer "$CERT_DIR" + +# shellcheck disable=SC2181 +if [ $? -eq 0 ]; then + echo "Certificates configured successfully." +else + echo "Error configuring certificates." + exit 1 +fi diff --git a/test-tools/scripts/03_manage_indexer_service.sh b/test-tools/scripts/03_manage_indexer_service.sh new file mode 100644 index 0000000000000..d9100b270c2b1 --- /dev/null +++ b/test-tools/scripts/03_manage_indexer_service.sh @@ -0,0 +1,76 @@ +#!/bin/bash + +# SPDX-License-Identifier: Apache-2.0 +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +# Function to check the status of the wazuh-indexer service +check_service_is_running() { + if systemctl is-active --quiet wazuh-indexer ; then + echo "wazuh-indexer service is running." + else + echo "Error: wazuh-indexer service is not running." >&2 + exit 1 + fi +} + +# Function to display usage help +usage() { + echo "Usage: $0 --action " + echo + echo "This script manages the wazuh-indexer service." + echo + echo "Options:" + echo " -a, --action Specify the action to perform: start, stop, or restart." + echo " -h, --help Show this help message and exit." + echo + exit 1 +} + +# Parse named arguments +while [[ "$#" -gt 0 ]]; do + case $1 in + --action|-a) ACTION="$2"; shift ;; + -h|--help) usage ;; + *) echo "Unknown parameter passed: $1"; usage ;; + esac + shift +done + +# Check if ACTION is provided +if [ -z "$ACTION" ]; then + echo "Error: Action is required." + usage +fi + +# Execute the action +case $ACTION in + start) + echo "Starting wazuh-indexer service..." + systemctl daemon-reload > /dev/null 2>&1 + systemctl enable wazuh-indexer > /dev/null 2>&1 + systemctl start wazuh-indexer > /dev/null 2>&1 + check_service_is_running + ;; + stop) + echo "Stopping wazuh-indexer service..." + systemctl stop wazuh-indexer + systemctl is-active --quiet wazuh-indexer + if [ $? -ne 0 ]; then + echo "wazuh-indexer service stopped successfully." + else + echo "Error: Failed to stop wazuh-indexer service." >&2 + exit 1 + fi + ;; + restart) + echo "Restarting wazuh-indexer service..." + systemctl restart wazuh-indexer + check_service_is_running + ;; + *) + echo "Error: Invalid action specified. Use start, stop, or restart." + usage + ;; +esac diff --git a/test-tools/scripts/04_initialize_cluster.sh b/test-tools/scripts/04_initialize_cluster.sh new file mode 100644 index 0000000000000..a7121b7c09d94 --- /dev/null +++ b/test-tools/scripts/04_initialize_cluster.sh @@ -0,0 +1,95 @@ +#!/bin/bash + +# SPDX-License-Identifier: Apache-2.0 +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +# Tool dependencies +DEPENDENCIES=(curl jq) + +# Function to display usage help +usage() { + echo "Usage: $0 [-ip ] [-u ] [-p ]" + echo + echo "Parameters:" + echo " -ip, --cluster-ip (Optional) IP address of the cluster. Default: localhost" + echo " -u, --user (Optional) Username for authentication. Default: admin" + echo " -p, --password (Optional) Password for authentication. Default: admin" + echo + echo "Please ensure you have all the dependencies installed: " "${DEPENDENCIES[@]}" + exit 1 +} + +# Validate all dependencies are installed +for dep in "${DEPENDENCIES[@]}" +do + if ! command -v "${dep}" &> /dev/null + then + echo "Error: Dependency '$dep' is not installed. Please install $dep and try again." >&2 + exit 1 + fi +done + +# Default values +CLUSTER_IP="localhost" +USER="admin" +PASSWORD="admin" + +# Parse named arguments +while [[ "$#" -gt 0 ]]; do + case $1 in + -ip|--cluster-ip) CLUSTER_IP="$2"; shift ;; + -u|--user) USER="$2"; shift ;; + -p|--password) PASSWORD="$2"; shift ;; + -h|--help) usage ;; + *) echo "Unknown parameter passed: $1"; usage ;; + esac + shift +done + +# Initialize cluster +echo "Initializing wazuh-indexer cluster..." +bash /usr/share/wazuh-indexer/bin/indexer-security-init.sh > /dev/null 2>&1 + +# Check if the initialization was successful +# shellcheck disable=SC2181 +if [ $? -ne 0 ]; then + echo "Error: Failed to initialize cluster." + exit 1 +fi + +# Check the Wazuh indexer status +echo "Checking cluster status..." +sleep 2 +RESPONSE=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200") + +# Check if the request was successful +# shellcheck disable=SC2181 +if [ $? -ne 0 ]; then + echo "Error: Failed to connect to cluster." + exit 1 +fi + +# Parse and print the response +INDEXER_NAME=$(echo "$RESPONSE" | jq -r '.name') +CLUSTER_NAME=$(echo "$RESPONSE" | jq -r '.cluster_name') +VERSION_NUMBER=$(echo "$RESPONSE" | jq -r '.version.number') +echo "Indexer Status:" +echo " Node Name: $INDEXER_NAME" +echo " Cluster Name: $CLUSTER_NAME" +echo " Version Number: $VERSION_NUMBER" + +# Verify the Wazuh indexer nodes +echo "Verifying the Wazuh indexer nodes..." +NODES_RESPONSE=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200/_cat/nodes?v") + +# shellcheck disable=SC2181 +if [ $? -ne 0 ]; then + echo "Error: Failed to retrieve Wazuh indexer nodes." + exit 1 +fi + +echo "Nodes:" +echo "$NODES_RESPONSE" +echo "Initialization completed successfully." diff --git a/test-tools/scripts/05_validate_installed_plugins.sh b/test-tools/scripts/05_validate_installed_plugins.sh new file mode 100644 index 0000000000000..2801598394f25 --- /dev/null +++ b/test-tools/scripts/05_validate_installed_plugins.sh @@ -0,0 +1,95 @@ +#!/bin/bash +# SPDX-License-Identifier: Apache-2.0 +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +# Tool dependencies +DEPENDENCIES=(curl jq) + +# Function to display usage help +usage() { + echo "Usage: $0 [-ip -u -p ] -n -n [...]" + echo + echo "Parameters:" + echo " -ip, --cluster-ip (Optional) IP address of the cluster (default: localhost)" + echo " -u, --user (Optional) Username for authentication (default: admin)" + echo " -p, --password (Optional) Password for authentication (default: admin)" + echo " -n, --node Name of the nodes (add as many as needed)" + echo + echo "Please ensure you have all the dependencies installed: " "${DEPENDENCIES[@]}" + exit 1 +} + +# Validate all dependencies are installed +for dep in "${DEPENDENCIES[@]}" +do + if ! command -v "${dep}" &> /dev/null + then + echo "Error: Dependency '$dep' is not installed. Please install $dep and try again." >&2 + exit 1 + fi +done + +# Default values +CLUSTER_IP="localhost" +USER="admin" +PASSWORD="admin" +NODES=() + +# Parse named arguments +while [[ "$#" -gt 0 ]]; do + case $1 in + -ip|--cluster-ip) CLUSTER_IP="$2"; shift ;; + -u|--user) USER="$2"; shift ;; + -p|--password) PASSWORD="$2"; shift ;; + -n|--node) NODES+=("$2"); shift ;; + -h|--help) usage ;; + *) echo "Unknown parameter passed: $1"; usage ;; + esac + shift +done + +# Check if mandatory arguments are provided +if [ -z "$CLUSTER_IP" ] || [ -z "$USER" ] || [ -z "$PASSWORD" ] || [ ${#NODES[@]} -eq 0 ]; then + echo "Error: Missing mandatory parameter." + usage +fi + +# Check the installed plugins on each node +REQUIRED_PLUGINS=("wazuh-indexer-command-manager" "wazuh-indexer-setup") +ALL_MISSING_PLUGINS=() + +echo "Checking installed plugins on Wazuh indexer nodes..." +for NODE in "${NODES[@]}"; do + echo "Checking node $NODE..." + RESPONSE=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200/_cat/plugins?v" | grep "$NODE") + # Check if the request was successful + # shellcheck disable=SC2181 + if [ $? -ne 0 ]; then + echo "Error: Failed to connect to Wazuh indexer." + exit 1 + fi + MISSING_PLUGINS=() + for PLUGIN in "${REQUIRED_PLUGINS[@]}"; do + if echo "$RESPONSE" | grep -q "$PLUGIN"; then + echo " $PLUGIN is installed on $NODE." + else + MISSING_PLUGINS+=("$PLUGIN") + fi + done + if [ ${#MISSING_PLUGINS[@]} -ne 0 ]; then + echo "Error: The following required plugins are missing on $NODE:" + for PLUGIN in "${MISSING_PLUGINS[@]}"; do + echo " $PLUGIN" + done + ALL_MISSING_PLUGINS+=("${MISSING_PLUGINS[@]}") + fi +done + +if [ ${#ALL_MISSING_PLUGINS[@]} -ne 0 ]; then + echo "Error: Some nodes are missing required plugins." + exit 1 +fi + +echo "All required plugins are installed on all nodes." diff --git a/test-tools/scripts/06_validate_setup.sh b/test-tools/scripts/06_validate_setup.sh new file mode 100644 index 0000000000000..dc9e90688f180 --- /dev/null +++ b/test-tools/scripts/06_validate_setup.sh @@ -0,0 +1,153 @@ +#!/bin/bash + +# SPDX-License-Identifier: Apache-2.0 +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +# Tool dependencies +DEPENDENCIES=(curl jq) + +# Function to display usage help +usage() { + echo "Usage: $0 [-ip ] [-u ] [-p ]" + echo + echo "Parameters:" + echo " -ip, --cluster-ip (Optional) IP address of the cluster. Default: localhost" + echo " -u, --user (Optional) Username for authentication. Default: admin" + echo " -p, --password (Optional) Password for authentication. Default: admin" + echo + echo "Please ensure you have all the dependencies installed: " "${DEPENDENCIES[@]}" + exit 1 +} + +# Validate all dependencies are installed +for dep in "${DEPENDENCIES[@]}" +do + if ! command -v "${dep}" &> /dev/null + then + echo "Error: Dependency '$dep' is not installed. Please install $dep and try again." >&2 + exit 1 + fi +done + +# Default values +CLUSTER_IP="localhost" +USER="admin" +PASSWORD="admin" + +# Parse named arguments +while [[ "$#" -gt 0 ]]; do + case $1 in + -ip|--cluster-ip) CLUSTER_IP="$2"; shift ;; + -u|--user) USER="$2"; shift ;; + -p|--password) PASSWORD="$2"; shift ;; + -h|--help) usage ;; + *) echo "Unknown parameter passed: $1"; usage ;; + esac + shift +done + +# List of expected items +EXPECTED_TEMPLATES=("index-template-agent" "index-template-alerts" "index-template-fim" "index-template-packages" + "index-template-processes" "index-template-system" "index-template-vulnerabilities") + +# Fetch the templates +echo "Fetching templates from Wazuh indexer cluster..." +TEMPLATES_RESPONSE=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200/_cat/templates?v") +# Check if the request was successful +if [ $? -ne 0 ]; then + echo "Error: Failed to fetch templates." + exit 1 +fi + +# Validate the templates +MISSING_TEMPLATES=() +echo "Validating templates..." +for TEMPLATE in "${EXPECTED_TEMPLATES[@]}"; do + if echo "$TEMPLATES_RESPONSE" | grep -q "$TEMPLATE"; then + # Fetch the template info to check for required fields + TEMPLATE_INFO=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200/_template/$TEMPLATE") + if ! echo "$TEMPLATE_INFO" | jq -e '.[] | .mappings.properties.agent.properties.id' > /dev/null; then + echo " Error: Template $TEMPLATE is missing required field 'agent.id'." + MISSING_TEMPLATES+=("$TEMPLATE") + elif ! echo "$TEMPLATE_INFO" | jq -e '.[] | .mappings.properties.agent.properties.groups' > /dev/null; then + echo " Error: Template $TEMPLATE is missing required field 'agent.groups'." + MISSING_TEMPLATES+=("$TEMPLATE") + else + echo " Template $TEMPLATE is created correctly." + fi + else + MISSING_TEMPLATES+=("$TEMPLATE") + echo " Error: Template $TEMPLATE is missing." + fi +done + +if [ ${#MISSING_TEMPLATES[@]} -ne 0 ]; then + echo "Some templates were not created correctly:" + for TEMPLATE in "${MISSING_TEMPLATES[@]}"; do + echo " $TEMPLATE" + done + echo +else + echo "All templates are correctly created." + echo +fi + +# Fetch the indices +echo "Fetching indices from Wazuh indexer cluster..." +INDICES_RESPONSE=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200/_cat/indices?v") +# Check if the request was successful +# shellcheck disable=SC2181 +if [ $? -ne 0 ]; then + echo "Error: Failed to fetch indices." + exit 1 +fi + +# Fetch the protected indices +echo "Fetching protected indices from Wazuh indexer cluster..." +PROTECTED_RESPONSE=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200/_cat/indices/.*?v") +# Check if the request was successful +# shellcheck disable=SC2181 +if [ $? -ne 0 ]; then + echo "Error: Failed to fetch indices." + exit 1 +fi + +# Validate index patterns +echo "Validating index patterns..." +INVALID_PATTERNS=() +while read -r line; do + TEMPLATE_NAME=$(echo "$line" | awk '{print $1}') + INDEX_PATTERN=$(echo "$line" | awk '{print $2}' | tr -d '[]') + + if [[ $INDEX_PATTERN == .* ]]; then + TO_MATCH=$PROTECTED_RESPONSE + else + TO_MATCH=$INDICES_RESPONSE + fi + + # Check if index pattern ends with '*' + if [[ $INDEX_PATTERN != *\* ]]; then + echo " Error: Index pattern $INDEX_PATTERN does not end with '*'." + INVALID_PATTERNS+=("$INDEX_PATTERN") + continue + fi + + if echo "$TO_MATCH" | grep -q "$INDEX_PATTERN"; then + echo " Index pattern $INDEX_PATTERN is valid." + else + INVALID_PATTERNS+=("$INDEX_PATTERN") + echo " Error: Index pattern $INDEX_PATTERN not found in indices for template $TEMPLATE_NAME." + fi +done <<< "$(echo "$TEMPLATES_RESPONSE" | tail -n +2)" # Skip header line + +if [ ${#INVALID_PATTERNS[@]} -ne 0 ]; then + echo "Errors on index-patterns detected:" + for PATTERN in "${INVALID_PATTERNS[@]}"; do + echo " $PATTERN" + done + echo +else + echo "Index-patterns validated successfully." +fi diff --git a/test-tools/scripts/07_validate_command_manager.sh b/test-tools/scripts/07_validate_command_manager.sh new file mode 100644 index 0000000000000..e96209bd4c8f6 --- /dev/null +++ b/test-tools/scripts/07_validate_command_manager.sh @@ -0,0 +1,115 @@ +#!/bin/bash + +# SPDX-License-Identifier: Apache-2.0 +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +# Tool dependencies +DEPENDENCIES=(curl jq) + +# Function to display usage help +usage() { + echo "Usage: $0 [-ip ] [-u ] [-p ]" + echo + echo "Parameters:" + echo " -ip, --cluster-ip (Optional) IP address of the cluster. Default: localhost" + echo " -u, --user (Optional) Username for authentication. Default: admin" + echo " -p, --password (Optional) Password for authentication. Default: admin" + echo + echo "Please ensure you have all the dependencies installed: " "${DEPENDENCIES[@]}" + exit 1 +} + +# Validate all dependencies are installed +for dep in "${DEPENDENCIES[@]}" +do + if ! command -v "${dep}" &> /dev/null + then + echo "Error: Dependency '$dep' is not installed. Please install $dep and try again." >&2 + exit 1 + fi +done + +# Default values +CLUSTER_IP="localhost" +USERNAME="admin" +PASSWORD="admin" + +# Parse named arguments +while [[ "$#" -gt 0 ]]; do + case $1 in + -ip|--cluster-ip) CLUSTER_IP="$2"; shift ;; + -u|--user) USERNAME="$2"; shift ;; + -p|--password) PASSWORD="$2"; shift ;; + -h|--help) usage ;; + *) echo "Unknown parameter passed: $1"; usage ;; + esac + shift +done + +COMMANDS_INDEX=".commands" +SRC="Engine" +USR="TestUser" +TRG_ID="TestTarget" +ARG="/test/path/fake/args" +BODY="{ + \"source\": \"$SRC\", + \"user\": \"$USR\", + \"target\": { + \"id\": \"$TRG_ID\", + \"type\": \"agent\" + }, + \"action\": { + \"name\": \"restart\", + \"args\": [ + \"$ARG\" + ], + \"version\": \"v4\" + }, + \"timeout\": 30 +}" + +# Send the POST request and check it is successful +if ! curl -s -k -u "$USERNAME:$PASSWORD" -X POST "https://$CLUSTER_IP:9200/_plugins/_command_manager/commands" -H 'accept: */*' -H 'Content-Type: application/json' -d "$BODY" > /dev/null 2>&1; then + echo "Error: Failed to create command." + exit 1 +fi +echo "Command created successfully." +# Sleep to avoid the next request to be sent before index is created +curl -s -k -u "$USERNAME:$PASSWORD" -X POST "https://$CLUSTER_IP:9200/_forcemerge" -H 'accept: */*' +sleep 2 + +# Fetch the indices +echo "Validating .commands index is created..." +INDICES_RESPONSE=$(curl -s -k -u "$USERNAME:$PASSWORD" "https://$CLUSTER_IP:9200/_cat/indices/.*?v") +# shellcheck disable=SC2181 +if [ $? -ne 0 ]; then + echo "Error: Failed to fetch indices." + exit 1 +fi +if echo "$INDICES_RESPONSE" | grep -q "$COMMANDS_INDEX"; then + echo "Index created correctly." +else + echo "Error: Index is not created." + exit 1 +fi + +sleep 5 +echo "Validate the command is created" +# Validate the command was created +SEARCH_RESPONSE=$(curl -s -k -u "$USERNAME:$PASSWORD" "https://$CLUSTER_IP:9200/.commands/_search") +# Check if the request was successful +# shellcheck disable=SC2181 +if [ $? -ne 0 ]; then + echo "Error: Failed to search for the command." + exit 1 +fi + +# Check if the command is found in the search results +if echo "$SEARCH_RESPONSE" | grep -q "\"$USR\"" && echo "$SEARCH_RESPONSE" | grep -q "\"$TRG_ID\""; then + echo "Validation successful: The command was created and found in the search results." +else + echo "Error: The command was not found in the search results." + exit 1 +fi diff --git a/test-tools/scripts/08_uninstall_indexer.sh b/test-tools/scripts/08_uninstall_indexer.sh new file mode 100644 index 0000000000000..094c7ca8781b1 --- /dev/null +++ b/test-tools/scripts/08_uninstall_indexer.sh @@ -0,0 +1,75 @@ +#!/bin/bash + +# SPDX-License-Identifier: Apache-2.0 +# The OpenSearch Contributors require contributions made to +# this file be licensed under the Apache-2.0 license or a +# compatible open source license. + +# Function to display usage help +usage() { + echo "Usage: $0 [-h]" + echo + echo "This script uninstalls Wazuh Indexer and validates its removal." + echo + echo "Options:" + echo " -h, --help Show this help message and exit." + echo + exit 1 +} + +# Check for help flag +if [[ "$1" == "-h" || "$1" == "--help" ]]; then + usage +fi + +# Detect package manager +if command -v apt-get &> /dev/null; then + PKG_MANAGER="apt-get" +elif command -v yum &> /dev/null; then + PKG_MANAGER="yum" +else + echo "Unsupported package manager. Please use a system with apt-get or yum." + exit 1 +fi + +# Uninstall Wazuh Indexer +echo "Uninstalling Wazuh Indexer..." +sudo systemctl stop wazuh-indexer > /dev/null 2>&1 +sudo systemctl disable wazuh-indexer > /dev/null 2>&1 + +if [ "$PKG_MANAGER" == "apt-get" ]; then + sudo apt-get remove --purge wazuh-indexer -y > /dev/null 2>&1 +elif [ "$PKG_MANAGER" == "yum" ]; then + sudo yum remove wazuh-indexer -y > /dev/null 2>&1 +fi +rm -rf /etc/wazuh-indexer + +# Validate removal +echo "Validating Wazuh Indexer removal..." + +# Check for remaining files and directories +if [ "$PKG_MANAGER" == "apt-get" ]; then + if dpkg -l | grep wazuh-indexer > /dev/null 2>&1; then + echo "Error: Wazuh Indexer packages still present." + exit 1 + else + echo "Wazuh Indexer packages removed." + fi +elif [ "$PKG_MANAGER" == "yum" ]; then + if rpm -qa | grep wazuh-indexer > /dev/null 2>&1; then + echo "Error: Wazuh Indexer packages still present." + exit 1 + else + echo "Wazuh Indexer packages removed." + fi +fi + +# Check for remaining services +if systemctl list-units --full -all | grep wazuh-indexer.service > /dev/null 2>&1; then + echo "Error: Wazuh Indexer service still present." + exit 1 +else + echo "Wazuh Indexer service removed." +fi + +echo "Wazuh Indexer uninstallation and validation completed successfully." diff --git a/test-tools/scripts/README.md b/test-tools/scripts/README.md new file mode 100644 index 0000000000000..06d84a44f50d5 --- /dev/null +++ b/test-tools/scripts/README.md @@ -0,0 +1,79 @@ +# Test utils scripts + +This is a collection of scripts aimed to facilitate the validation of the wazuh-indexer packages generated on the GitHub Action Workflow. + +Even if these scripts can be executed in almost any Linux environment, we expect it to be used alongside the +Vagrant environment defined in the `test-tools`, using the scripts inside the VMs to facilitate the validation steps. + +### GitHub token requirements + +Create a personal access token for GitHub with at least `read:packages` permissions. + +## Validation flow + +The scripts can be used to prepare and validate a single node or multi-node cluster, as required. + +### All-at-once + +#### Single node + +Use the `00_run.sh` utility to execute all the scripts automatically +```bash +sudo bash 00_run.sh +``` + +#### Multi node cluster + +> This section assumes you are using the `node-1` and `node-2` Vagrant VMs + +1. On the `node-2` VM install and prepare the `wazuh-indexer` component + ```bash + GITHUB_TOKEN= bash 01_download_and_install_package.sh -id -n + ``` + ```bash + sudo bash 02_apply_certificates.sh -p ../wazuh-certificates.tar -n node-2 -nip 192.168.56.11 -s node-1 -sip 192.168.56.10 + ``` + ```bash + sudo bash 03_manage_indexer_service.sh -a start + ``` +2. On the `node-1` VM execute the _all-at-once_ utility + ```bash + sudo bash 00_run.sh + ``` + +### Manual execution + +If you prefer, you can run each script individually. + +1. Download and install the `wazuh-indexer` package _(mandatory on each node)_ + ```bash + GITHUB_TOKEN= bash 01_download_and_install_package.sh -id -n + ``` +2. Configure and start the service _(mandatory on each node)_ + ```bash + sudo bash 02_apply_certificates.sh -p -n -nip + ``` + ```bash + sudo bash 03_manage_indexer_service.sh -a start + ``` + > With this script you can also `restart` and `stop` the service +3. Initialize the cluster + ```bash + sudo bash 04_initialize_cluster.sh + ``` +4. Check all the plugins are installed + ```bash + bash 05_validate_installed_plugins.sh -n + ``` +5. Check the setup plugin configured the index-patterns correctly + ```bash + bash 06_validate_setup.sh + ``` +6. Check the command manager plugin works correctly + ```bash + bash 07_validate_command_manager.sh + ``` +7. Uninstall Wazuh indexer + ```bash + sudo bash 08_uninstall_indexer.sh + ```